Privacy and cookie statement
Article 1. General
The dental practice ensures that patients’ (exceptional) Personal Data are treated with care. We adhere to the applicable laws and regulations, including the General Data Protection Regulation. With this Privacy Statement, we want to further inform you on our policy.
Article 2. Definitions
For the sake of clarity, we shortly explain what is meant by certain terms:
- Personal Data: all data by means of which the patient can be identified.
- Person Responsible: the controller, as indicated in article 4 section 7 of the Regulation. In this privacy statement, this is the dental practice.
- Processing: the treatment of personal data, performed by automated procedures or otherwise, such as the collection, registration, organising, storing, updating, editing, requesting, consulting, utilising, provision by means of forwarding, distribution or any other kind of provision, compiling, connecting, as well as shielding, erasing or destroying of Personal Data.
- Processor: the person concerned with Processing Personal Data on behalf of the dental practice, without being subject of their authority, such as auxiliary staff hired by the Person Responsible.
- Data Subject: the person to whom the Personal Data relate, generally the patient.
- Regulation: the General Data Protection Regulation.
- Regulation (EU): regulation (EU) 2016/679 by the European Parliament and the Council on April 27, 2016, regarding the protection of natural persons in relation to the processing of Personal Data and regarding the free flow of data and the repeal of Directive 95/46/EG (PbEU 2016, L 119).
- Privacy Statement: this document.
- Pseudonomised data: Personal Data that can no longer be linked to a specific Data Subject without the use of additional data. These additional data are stored in such a manner that they cannot be linked to an identifiable person.
Article 3. How do we gather data?
Personal Data originate or are derived from data that are provided verbally or in writing by the Data Subject or their legal representative. Other than that, Personal Data can be provided by the health insurer, the general practitioner, other practitioners, specialists, aid workers, or sources other than the abovementioned persons or entities.
Article 4. How and why do we process data?
- Data are processed in a manner that is legal, proper, and transparent toward the Data Subject. Moreover, Personal Data are collected for certain, explicitly specified and justified purposes. Processing data does not happen in a manner that is incompatible with these purposes.
- Processing data aimed at archiving for the common good, scientific or historical research or statistic purposes is not considered incompatible with the original purposes.
- Processing is only justified if and insofar as one of the conditions below has been met:
a. Consent by the Data Subject;
b. Entering into and performing a treatment (agreement);
c. Safeguarding a vital interest of the Data Subject, such as an emergency;
d. Safeguarding a justified interest of the Person Responsible or a third party (such as business continuity);
e. Necessity to fulfil a legal obligation or agreement with the Data Subject.
- Personal Data will only be Processed insofar as they are adequate, relevant, and limited to what is necessary in view of the purposes to which they are Processed.
- The dental practice processes Personal Data for the following purposes:
a. Treatment of the Data Subject;
b. Informing and contacting the Data Subject(s);
c. Financial administration;
d. Correct operation of the website.
Article 5. Conditions for consent
The Person Responsible can prove that the Data Subject has consented to Processing of the data. The Data Subject can always withdraw consent once given.
Article 6. Other data
Anonymised data are not covered by the Privacy Statement.
Article 7. What data are concerned?
Processing can apply to the following data categories:
- Name, first names, initials, title, gender, date of birth, address, postal code, residence, telephone number and similar data required for communication, as well as payment information of the Data Subject;
- An administrative number that contains no other information than covered by a;
- Data, as represented by a, of parents, guardians or carers of minor Data Subjects;
- Data, as represented by a, of family members or relatives of the Data Subject as well as others that are informed on the health and wellbeing of the Data Subject;
- Information on the health of the Data Subject and, in case of hereditary conditions, their family members and relatives;
- Other exceptional Personal Data regarding the proper treatment or care of the Data Subject;
- Information on given and to be given treatment of the Data Subject as well as provided medication or provisions;
- Information on the calculation, registration, and collection of fees;
- Information regarding the insurance of the Data Subject;
- Other data required for the treatment.
Article 8. Information Obligation
- Before the Person Responsible Processes Personal Data, they inform the Data Subject and/or their legal representative:
- Who is responsible for Processing the Personal Data;
- Why certain, concrete Personal Data will be processed;
- If applicable, the contact information of the data protection officer;
- The manner in which the Personal Data will be processed;
- The period for which the Personal Data will be stored, or, if this is not available, the criteria for the determination of this period;
- All other information that has to be provided in view of thoroughness. This means: The more sensitive the Personal Data are that the Person Responsible wishes to Process, the more thorough the information given.
- An explanation of the purpose or purposes of the Processing of Personal Data;
- If Personal Data are requested by a third party, or provided to a third party, the information obligation will be met in the same manner, before the Personal Data are received or provided, unless this can only be done through disproportionate effort.
Article 9. Right to access
- The Data Subject has the right to access their Personal Data and can request the following data:
- All available data regarding the origin of the Personal Data;
- The categories of Data that the Processing applies to;
- An overview of recipients or categories of recipients that have received the Personal Data;
- If possible, the period for which the Personal Data are estimated to be stored, or, if this is not possible, the criteria to determine this period;
- That the Data Subject has the right of rectification, the right of data erasure, and the right of restriction of processing.
- A request for access can be denied on the following grounds:
- The requester is no Data Subject, or their request does not apply to data that only apply to the requester;
- The requester has not yet reached the age of 16 and/or has been placed under guardianship. In that case, only the legal representative can make the request;
- Person Responsible has already recently complied to a comparable request by the same requester;
- Protection of the Data Subject or the rights or liberties of others;
- For reasons of national security, and/or the prevention, investigation and persecution of criminal offences.
Article 10. Other rights
- The Data Subject always has the right to object to the Processing of Personal Data that apply to them. The Person Responsible will cease Processing in case of objections.
- The Data Subject has the right to receive immediate rectification by the Person Responsible of incorrect Personal Data that apply to them.
- The Data Subject has the right to receive erasure by the Person Responsible of Personal Data that apply to them without unreasonable delay. Furthermore, the Person Responsible is obliged to erase data without unreasonable delay if the Data Subject revokes their consent, or if the Person Responsible no longer needs the Personal Data for the purposes for which they were collected.
- If the Data Subject disputes the correctness of the Personal Data, they have the right to receive restriction of the Processing from the Person Responsible.
- The Data Subject has the right to receive the Personal Data that apply to them, which they provided to the Person Responsible, in a structured, conventional, and machine-readable form.
Article 11. The exercise of rights by the Data Subject
The Person Responsible will take appropriate measures to ensure the Data Subject receives the communication and information regarding the rights as described in this Privacy Statement in a concise, transparent, and accessible manner, and in clear terms.
Article 12. Access to and recipients of Personal Data
- In principle, only those directly involved with the execution of the treatment of the Data Subject have access to Personal Data, insofar as this is necessary for their work.
- When data is Processed on behalf of the Person Responsible, the Person Responsible will only call upon Processors who provide sufficient guarantees that the Personal Data will be Processed in accordance with the Regulation (EU), the Regulation, or any regulations based on these.
- Otherwise, the following persons and entities can be provided access/can receive Personal Data:
- Researchers as described in article 7:458 of the Civil Code;
- Health insurers insofar as necessary in view of the obligations in the insurance agreement;
- Third parties charged with collecting receivables insofar as access/provision is necessary and this does not concern medical data;
- Others, if the reasons for Processing the data are among the following:
(i) Consent by the Data Subject;
(ii) A necessity in order to meet a legal obligation;
(iii) Safeguarding a vital interest on behalf of the Data Subject
- Others, if the further Processing occurs in view of historical, statistic or scientific purposes, and if the Person Responsible has taken the necessary measures to ensure the Processing is limited to these purposes.
Article 13. Register
The Person Responsible maintains a register of all processing activity that takes place under their responsibility. This register contains the following data:
- The name and contact information of Person Responsible and, if applicable, of the data protection officer;
- The purposes of Processing;
- The categories of the data the Processing applies to;
- The categories of recipients Personal Data is provided to;
- If possible, the estimated period within which the Personal Data have to be erased;
- If possible, a description of any technical and organisational measures taken.
Article 14. Notification of privacy breach
- If a breach related to Personal Data has taken place, the Person Responsible will –if and insofar as they are legally obliged- notify the Data Subject and the competent authority as soon as the Person Responsible becomes aware of this breach.
- The notification referred to in the first section contains at least:
- The nature of the breach;
- The likely consequences of the breach;
- The measures the Person Responsible has taken following the breach;
- A point of contact for more information.
Article 15. Storage periods
- Medical data that were collected in order to enter into or to fulfil a treatment agreement are stored for 15 years. The Person Responsible is not required to maintain longer storage periods than legally obliged –especially by Article 7:454 section 3 of the Civil Code.
- Other Personal Data will not be stored for longer than necessary for the purposes for which they were Processed. If those Personal Data are no longer required, they will be erased.
Article 16. Confidentiality
- The Person Responsible, the Processor, and anyone who has access to Personal Data on behalf of the Person Responsible must treat the Personal Data confidentially.
- Data regarding the health of the Data Subject(s) are categorised as ‘exceptional Personal Data’. Anyone who Processes exceptional Personal Data is under the obligation of confidentiality. This derives from the office, the profession, or the employment contract of this person.
Article 17. Security
- The Person Responsible has to arrange appropriate technical and organisational measures to protect Personal Data.
- ‘Appropriate’ means that the security measures to be taken fit the risk of the Personal Data being carefully or unjustly Proceeded further, and the damage that this would cause. The measures taken need to ensure that:
- Only authorised persons have access to Personal Data;
- The Personal Data are correct and are not lost;
- The Personal Data are available for justified Processing without hindrance, in accordance with the agreements within the organisation.
- In all cases, the Person Responsible is responsible for the information security policy and communicates this policy within the dental practice.
Article 18. Final provisions
- The Person Responsible does not accept more obligations than those required of them by law, unless agreed otherwise with the Data Subject in writing.
- The Data Subject has the right to submit a complaint with the supervisory authority.
- Changes to this Privacy Statement are made by the Person Responsible. The changes to the Privacy Statement that affect Data Subject(s) are in force after the Data Subject(s) were informed of the change.
This Privacy Statement came into effect by 25-05-2018, and can be viewed at the dental practice. You can contact Tandzorg Kralingen for questions or to exercise rights.