Privacy reglement
- Article 1. Definitions
- Article 2. Scope
- Article 3. General provisions
- Article 4. Purpose
- Article 5. Conditions for lawful processing
- Article 6. Processing of personal data (insofar as it is not healthcare data)
- Article 7. Provision of information to the person concerned/data obtained from the person concerned
- Article 8. Specific rules for processing healthcare data
- Article 9. Representation
- Article 10. Right to view and copy personal data included
- Article 11. Right to supplement, correct or delete personal data included
- Article 12. Data retention
- Article 13. Complaints
- Article 14. Amendments, entry into force and inspection of these regulations
Article 1. Definitions
1. Doctor Frodo Clinic: treatment center for Botox, fillers and medical skin improvement.
2. Management: the management of Clinic Doctor Frodo.
3. Personal data: any information concerning an identified or identifiable natural person.
4. Healthcare data: personal data that relates directly or indirectly to the physical or mental condition of those involved, collected by a healthcare professional in the course of his professional activities.
5. Processing of personal data: any action or set of actions with regard to personal data, including in any case collecting, recording, organizing, storing, updating, modifying, retrieving, consulting, using, providing by transmission, dissemination or any other form of provision, bringing together, linking, as well as blocking, deleting or destroying data.
6. Providing personal data: disclosing or making data available.
7. Collection of personal data: obtaining personal data.
8. File: any structured set of personal data, regardless of whether this set of data is centralized or distributed in a functionally or geographically determined way, that is accessible according to certain criteria and relates to different people.
9. Responsible person: management.
10. Processor: the person who processes personal data on behalf of the controller, without being subject to his direct authority.
11. Data subject: the person to whom personal data relates.
12. Third party: anyone, other than the data subject, the controller, the processor, or any person who, under the direct authority of the controller or processor, is authorized to process personal data.
13. Recipient: the person to whom the personal data is provided.
14. Consent of the data subject: any free, specific and informational expression of will by which the data subject accepts that personal data concerning him or her be processed.
15. CBP: the Data Protection Board, the Board whose task is to supervise the processing of personal data.
16. WBP: the Data Protection Act.
17. WGBO: the Medical Treatment Agreement Act.
18. The BIG Act: the Individual Health Care Occupations Act.
19. Samen Act: the Act on Stimulating Minority Employment.
20. BOPZ: the Special Inclusion in Psychiatric Hospitals Act.
21. Complaints Committee: the committee established in accordance with the Complaints Act.
Article 2. Scope
These regulations apply to the fully or partially automated processing of personal data, as well as to the non-automated processing of personal data that is included in or intended to be included in a file. The personal data that is processed at Kliniek Dokter Frodo mainly concerns patient and staff data.
Article 3. General provisions
1. Management is responsible for establishing the general objectives of the processing systems used.
2. Without prejudice to the general objectives set by management, personal data is only processed: with the consent of the person concerned and/or from the point of view of an obligation under the law such as the WGBO, the WBP, the BIG Act, the “Together Act” and/or to safeguard the vital interest of the person concerned.
3. Management is responsible for ensuring that the processing of personal data complies with the standards set by law and are set out in these regulations.
4. Management may appoint an officer who, in the context of data protection, supervises the processing of personal data in accordance with laws and regulations. In doing so, management is bound by the legal provisions applicable to a privacy officer; among other things, the officer must be registered with the CBP.
Article 4. Purpose
1. These regulations apply within Kliniek Dokter Frodo and relate to the categories of data processing and purposes as listed in annex 1a and the overview of personal data processing drawn up by the institution (see annex 1b, which forms a whole with the regulations and is periodically reviewed by Kliniek Dokter Frodo for changes to be made).
2. The purpose of these regulations is to provide a practical effect on the provisions of the WBP and, where applicable, the provisions of other laws such as the WGBO, the BOPZ, the General Act on State Taxes and the Together Act.
3. Within the purpose of these regulations, no information other than those described under article 1 will be included.
Article 5. Conditions for lawful processing
1. Personal data is processed properly and carefully in accordance with these regulations.
2. Personal data will not be further processed in a way that is incompatible with the purposes for which it was obtained.
3. Personal data is only processed insofar as, in view of the purposes for which they are collected or subsequently processed, it is sufficient, relevant and not excessive.
4. Management is responsible for the proper functioning of the processing of personal data. His conduct with regard to the processing of personal data and the provision of data is determined by these regulations (*2).
Article 6. Processing of personal data (insofar as it is not healthcare data)
Personal data may only be processed if one of the following conditions is met:
a. the data subject has given his unambiguous consent to the processing;
b. this is necessary for the execution of an agreement to which the person concerned is a party, or for actions performed at the request of the person concerned and that are necessary for the conclusion of an agreement (*4);
c. this is necessary to comply with a legal obligation (*5);
d. this is necessary to combat serious risks to the health of the person concerned;
e. this is necessary for the performance of a task under public law (*6);
f. this is necessary to protect the legitimate interest of a third party to whom the data is provided and the interest of the person whose data is processed does not prevail.
Article 7. Provision of information to the person concerned/data obtained from the person concerned
1. If the personal data is obtained from the person concerned himself, the employee who collects the data shall inform the person concerned before the time of obtaining it (*7):
a. the identity of the processing organization and the purposes of the processing for which the data is intended, unless the data subject is already aware of this;
b. further information insofar as, in view of the nature of the data, the circumstances under which it is obtained or the use that is made of it, it is necessary to ensure proper and careful processing for the data subject (*8).
3 Management must ensure that the person concerned is sufficiently informed before consent can be given (so-called informed consent). This explicit consent does not have to be given in writing. Consent can also be seen from words or behavior.
Data obtained elsewhere
2. If the personal data is not obtained directly from the data subject, the employee who collects the data shall provide the data subject with the information referred to in article 7 (a) and (b), unless they are already aware of this:
a. At the time of recording data concerning him, or
b. when the information is intended to be provided to a third party, at the latest at the time of the first provision.
3. The employee who processes the data provides further information insofar as, in view of the nature of the data, the circumstances under which it is obtained or the use that is made of it, it is necessary to ensure proper and careful processing for the person concerned.
4. The provisions of paragraph 2 do not apply if communicating the information to the person concerned proves impossible or involves a disproportionate effort. In that case, the employee who collects the data records the origin of the data.
5. The provisions of paragraph 2 also do not apply if the determination of whether the provision is prescribed by or under the law. In that case, the employee who processes the data must, at his request, inform the person concerned about the legal requirement to record or provide the data concerning him.
data led.
6. If the employee processing the data has not informed the person concerned in accordance with this article, this means that the personal data has not been processed properly and carelessly (*9).
Article 8. Specific rules for processing healthcare data
1. The processing of healthcare data requires explicit consent (*10) from the person concerned, unless it concerns a case as mentioned in paragraphs 2 and 6 of this article, or if provision is necessary to implement a legal requirement.
2. Without the consent of the person concerned - subject to paragraph 3 - by Management or on its instructions, personal health data may be provided for processing to:
a. Care providers, institutions or facilities for health care or social services to the extent necessary for the proper treatment or care of the person concerned; or for the purpose of managing the organization of management;
b. Insurers to the extent necessary to assess the risk to be insured by the insurance institution, with the exception of paragraph 4 of this article and the person concerned has not objected, or to the extent necessary for the execution of the insurance contract.
3. The personal data is only provided to persons or institutions that are obliged to maintain confidentiality by virtue of office, profession or legal regulation or under an agreement.
4. Without prejudice to any relevant legal regulations, only the professional who collected this data, those directly involved in the execution of the treatment agreement and the person who acts as a replacement for the counselor have access to the data processing, insofar as the provision is necessary for the work they perform in that context.
5. Personal data concerning hereditary traits may only be processed insofar as this data relates exclusively to the data subject who provided this data (*11) unless there is an overriding medical interest or the processing is necessary for scientific research. In the latter case, paragraph 8 of this article applies.
6. If personal data is anonymized in such a way that it is not reasonably traceable, Management may decide to provide it for purposes that are compatible with the purpose of data processing.
7. Personal data concerning a person's religion or belief, race, political opinion and sexual life may only be processed if and to the extent necessary in addition to the provision of personal data concerning someone's health as referred to in paragraph 2 of this article.
8. Personal data can only be provided for scientific research and statistics without the consent of the person concerned if:
a. The research is in the public interest,
b. The processing is necessary for the relevant research or statistics,
c. Asking for explicit consent proves impossible or involves a disproportionate effort and
d. The implementation provides such guarantees that the privacy of the person concerned is not disproportionately harmed.
Article 9. Representation
1. If the person concerned (here the patient) is under the age of twelve, the parents, who exercise parental authority, or the guardian, will replace the person concerned.
2. The same applies to the patient who has reached the age of twelve and cannot be considered capable of reasonably valuing his interests in this regard.
3. If the patient falls into the age group of twelve to sixteen and is able to reasonably value his interests, his parents act in addition to the patient himself.
4. If the patient is sixteen years of age or older and cannot be considered capable of reasonably valuing his interests in this regard, act as a representative for him in the order shown here (*12):
a. The curator or mentor if the person concerned is under guardianship or has been instituted on his behalf;
b. The personal representative if the person concerned has authorized them in writing, unless this person does not act;
c. The spouse or other companion of the person concerned, unless that person does not want or is missing;
d. A child, brother or sister of the person concerned, unless that person does not want it.
5. However, even if the patient has reached the age of sixteen or other person concerned has reached the age of eighteen and is able to reasonably value his interests, he has the option of authorizing another person in writing to represent him instead.
6. The consent can be withdrawn at any time by the person concerned or his representative.
7. The person who replaces the person concerned shall take the care of a good representative. He is obliged to involve the person concerned as much as possible in the performance of his duties.
8. If a representative acts on behalf of the person concerned, management will fulfil its obligations under the law and these regulations towards this representative, unless such compliance is not compatible with the care of a responsible person.
Article 10. Right to view and copy personal data included
1. The data subject has the right to access the processed data concerning him or her.
2. The requested inspection and/or the requested copy will take place or be provided as soon as possible, but no later than four weeks.
3. A possible limitation ground for inspection and copying may be the important interests of others than the applicant, including Management.
4. A reasonable fee may be charged for providing a copy, not exceeding Euro 4.50 for the first 100 copies (Official Gazette of the Kingdom of the Netherlands, decision of 13 June 2001, number 305).
Article 11. Right to supplement, correct or delete personal data included
1. Upon request, the included data will be supplemented with a statement issued by the person concerned with regard to the included data.
2. The data subject can request the correction of data concerning him if it is factually inaccurate, incomplete or irrelevant for the purpose of processing, or if it occurs in the processing in violation of a legal requirement.
3. The data subject can request the deletion of data concerning him.
4. Management (for both patient data and personal data) shall provide a written message to the applicant, within four weeks of receiving the written request for correction or deletion, stating whether or how much the request is being complied with. A refusal shall state the reasons.
5. Management ensures that a decision to correct, supplement, delete or block is executed as soon as possible.
6. Management ensures that (*13) the data is deleted within three months of a request from the person concerned, unless it is reasonably likely that the storage is significant for someone other than the person concerned, and insofar as custody is required by law.
Article 12. Data retention
1. Taking into account the legal provisions, management determines how long the recorded personal data will be kept. These retention periods are:
a. For medical and healthcare data: in principle fifteen years from the time they were produced, or as much longer as reasonably results from the care of a good counselor or the care of a responsible person. The moment at which the document was produced, Clinic Doctor Frodo assumes the patient's last consultation, i.e. the last time the file was used for treatment;
b. For data under the BOPZ Act: in principle five years after the production or termination of treatment or as much longer as reasonably results from the care of a good counselor or the care of a good person;
c. For non-medical data: no longer than necessary to achieve the purposes for which it is collected or subsequently processed, unless anonymized, if and insofar as it is kept solely for historical, statistical or scientific purposes. In attachment
d. Which appendix forms part of the privacy regulations provides an overview of retention periods.
2. If the storage period of the care data has expired or the person concerned requests deletion before the expiry of the applicable storage period, the relevant medical personal data will be deleted within a period of three months.
3. However, deletion is omitted if it is reasonably likely that the custody is significant to someone other than the person concerned, and custody is required by law or if there is agreement between the person concerned and management.
Article 13. Complaints
If the person concerned is of the opinion that the provisions of these regulations are not being complied with or has other reason to complain, he can contact:
a. Management;
b. The complaints committee functioning within the institution in accordance with the scheme for independent complaint handling;
c. In accordance with the WBP, request CBP to investigate whether Management's way of processing data complies with the WBP; or make use of the remedies provided for in chapter 8 of the WPB.
Article 14. Amendments, entry into force and inspection of these regulations
1. Changes to these regulations are adopted by management and made under management's responsibility.
2. The changes to the regulations are effective as of four weeks after they have been announced to those involved.
3. These regulations came into force on September 1, 2016 and can be requested from the secretariat, and can also be viewed via the website.
Footnotes
2* Management ensures that appropriate technical and organizational measures are carried out to protect against loss or any form of unlawful processing.
3* Management must ensure that the person concerned is sufficiently informed before consent can be given (so-called informed consent). This explicit consent does not have to be given in writing. Consent can also be seen from words or behavior.
4* An example of an agreement is the medical treatment agreement and the rental agreement.
5* For example, the provision of data under article 22 of the Hospital Facilities Act.
6* This should also involve the person responsible under the BOPZ and/or WMO.
7* This general notice can be made, for example, by issuing an information brochure or by including information about the regulations and the processing of personal data in the house rules.
8* Since the data is processed by a healthcare institution, it can generally be assumed that the data subject knows or may know that data processing is taking place. Notification of the recording of data to the individual person concerned can then be omitted. A general notice of the existence of the processing and these regulations is sufficient.
This is different if purposes other than providing care are an independent purpose of the processing, for example scientific research. In that case, it cannot simply be assumed that the person concerned knows about this objective.
9* Failure to comply with the information obligation will lead to unlawful processing. See also Article 5 (1).
10* Explicit consent: the person concerned must have expressed in word, writing or conduct his will to consent to the data processing concerning him.
11* Processing of personal data concerning hereditary traits with regard to others than the person about whom the data was originally obtained is also not permitted with the explicit consent of the person concerned or any family member to whom the data also relates.
12* The categories of representatives mentioned here correspond to the categories mentioned in the WGBO and BOPZ.
13* Removal also includes destruction.