ARTICLE 1. DEFINITIONS

  1. Health Butler VOF: IV Drips on location
  2. Management: the management of Health Butler VOF
  3. Personal data: any information relating to an identified or identifiable natural person.
  4. Healthcare data: personal data that directly or indirectly relates to the physical or mental health of individuals, collected by a healthcare professional in the context of their professional practice.
  5. Processing of personal data: any operation or set of operations performed on personal data, including collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment, combination, blocking, erasure, or destruction of data.
  6. Provision of personal data: the disclosure or making available of data.
  7. Collection of personal data: obtaining personal data.
  8. File: any structured set of personal data, whether centralized or decentralized, accessible according to specific criteria, relating to different individuals.
  9. Controller: the management.
  10. Processor: a person who processes personal data on behalf of the controller without being under their direct authority.
  11. Data subject: an individual to whom personal data relates.
  12. Third party: any person other than the data subject, controller, processor, or any person authorized to process personal data under the direct authority of the controller or processor.
  13. Recipient: a person to whom the personal data is disclosed.
  14. Consent of the data subject: any freely given, specific, and informed indication of the data subject’s wishes by which they agree to the processing of personal data relating to them.
  15. Dutch Data Protection Authority (CBP): the supervisory authority responsible for overseeing the processing of personal data.
  16. Dutch Personal Data Protection Act (WBP): the Dutch legislation governing the protection of personal data.
  17. Dutch Medical Treatment Agreement Act (WGBO): the Dutch legislation governing medical treatment agreements.
  18. Dutch Healthcare Professions Act (Wet BIG): the Dutch legislation governing individual healthcare professions.
  19. Dutch Work Stimulation Act for Ethnic Minorities (Wet Samen): the Dutch legislation promoting labor participation of ethnic minorities.
  20. Dutch Mental Health Act (BOPZ): the Dutch legislation governing the admission and treatment of patients in psychiatric hospitals.
  21. Complaints Committee: the committee established in accordance with the Complaints Act.

 

ARTICLE 2. SCOPE

This regulation applies to the fully or partially automated processing of personal data, as well as the non-automated processing of personal data that is included in or intended to be included in a file. The personal data processed by Health Butler VOF mainly includes patient and staff data.

 

ARTICLE 3. GENERAL PROVISIONS

  1. The management is responsible for determining the general objectives of the processing systems used.
  2. Without prejudice to the general objectives established by the management, personal data is only processed with the consent of the data subject and/or based on an obligation under the law, such as the WGBO, WBP, Wet BIG, “Wet Samen,” or for the protection of the vital interests of the data subject.
  3. The management is responsible for ensuring that the processing of personal data complies with the legal norms and the provisions stated in this regulation.
  4. The management may appoint a data protection officer who oversees the processing of personal data in accordance with legal regulations. The management is required to comply with the legal provisions applicable to a privacy officer, including the obligation to notify the Dutch Data Protection Authority (CBP) of the appointment.

 

ARTICLE 4. PURPOSE

  1. This regulation applies to Health Butler VOF and pertains to the categories of data processing and purposes mentioned in Annex 1a and the overview of personal data processing activities prepared by the organization (see Annex 1b, which is an integral part of this regulation and is periodically reviewed by Health Butler VOF for any changes).
  2. The purpose of this regulation is to provide a practical implementation of the provisions of the Personal Data Protection Act (WBP) and, where applicable, the provisions of other laws such as the Medical Treatment Agreement Act (WGBO), the Mental Health Act (BOPZ), the General Tax Act, and the Public Administration Act.
  3. The scope of this regulation is limited to the data described in Article 1.

 

ARTICLE 5. CONDITIONS FOR LAWFUL PROCESSING

  1. Personal data shall be processed in accordance with this regulation in a fair and careful manner.
  2. Personal data shall not be further processed in a manner incompatible with the purposes for which they were obtained.
  3. Personal data shall only be processed to the extent that they are adequate, relevant, and not excessive, considering the purposes for which they were collected or subsequently processed.
  4. The management is responsible for ensuring the proper functioning of the processing of personal data. Their actions regarding the processing of personal data and the provision of data shall be governed by this regulation (*2).

 

ARTICLE 6. PROCESSING OF PERSONAL DATA (EXCLUDING HEALTH DATA)

Personal data may only be processed if one of the following conditions is met:

  1. The data subject has given explicit consent for the processing.
  2. The processing is necessary for the performance of a contract in which the data subject is a party or for pre-contractual measures requested by the data subject (*4).
  3. The processing is necessary to comply with a legal obligation (*5).
  4. The processing is necessary to protect the vital interests of the data subject.
  5. The processing is necessary for the performance of a task carried out in the public interest (*6).
  6. The processing is necessary for the legitimate interests pursued by a third party to whom the data is disclosed, provided that the interests of the data subject do not override those legitimate interests.

 

ARTICLE 7. PROVISION OF INFORMATION TO THE DATA SUBJECT/ DATA OBTAINED FROM THE DATA SUBJECT

  1. If personal data is obtained directly from the data subject, the employee collecting the data shall inform the data subject before obtaining the data (*7):
  1. The identity of the processing organization and the purposes of the processing for which the data is intended, unless the data subject is already aware of this information;
  2. Further information, to the extent necessary considering the nature of the data, the circumstances of its collection, or the use made of it, in order to ensure fair and careful processing in relation to the data subject (*8).

The management must ensure that the data subject is adequately informed before consent can be given (known as “informed consent”). This explicit consent does not have to be given in writing and can also be implied through words or actions.

Data obtained from other sources

  1. If personal data is not obtained directly from the data subject, the employee collecting the data shall provide the data subject with the information mentioned in Article 7(a) and (b), unless the data subject is already aware of this information:
  1. At the time of recording data concerning the data subject, or
  2. When the data is intended to be disclosed to a third party, no later than the time of the first disclosure.
  1. The employee processing the data shall provide further information to the extent necessary considering the nature of the data, the circumstances of its collection, or the use made of it, in order to ensure fair and careful processing in relation to the data subject.
  2. The provisions of point 2 do not apply if it is impossible or would involve a disproportionate effort to provide the information to the data subject. In that case, the employee collecting the data shall record the source of the data.
  3. The provisions of point 2 also do not apply if the determination or disclosure is required by or pursuant to the law. In that case, the employee processing the data shall, upon request, inform the data subject of the legal provision that led to the recording or disclosure of the data concerning the data subject.
  4. If the employee processing the data has not informed the data subject in accordance with this article, it means that the personal data has been processed in an improper and careless manner (*9).

 

ARTICLE 8. SPECIFIC RULES FOR THE PROCESSING OF HEALTHCARE DATA

  1. The explicit consent (*10) of the data subject is required for the processing of healthcare data, unless it falls within the cases mentioned in paragraphs 2 and 6 of this article, or if disclosure is necessary for the performance of a legal provision.
  2. Without the consent of the data subject, personal data concerning health may be disclosed for processing to:
  1. Healthcare providers, institutions, or services to the extent necessary for the proper treatment or care of the data subject or for the management of the organization of the management;
  2. Insurers to the extent necessary for the assessment of the risk to be insured by the insurance institution, excluding paragraph 4 of this article, provided that the data subject has not objected or to the extent necessary for the performance of the insurance contract.
  1. The personal data shall only be disclosed to persons or institutions who, by virtue of office, profession, legal provision, or a confidentiality agreement, are obliged to maintain confidentiality.
  2. Subject to any statutory provisions in this regard, only the healthcare professional who has collected the data, those directly involved in the performance of the treatment agreement, and the person acting as a substitute for the healthcare provider shall have access to the data processing to the extent necessary for the performance of their duties in that context.
  3. Personal data concerning hereditary characteristics may only be processed to the extent that these data relate exclusively to the data subject who provided this data (*11), unless there is a compelling medical interest or the processing is necessary for scientific research. In the latter case, point 8 of this article applies.
  4. If personal data has been anonymized to the extent that it is not reasonably traceable, the Management may decide to disclose it for purposes that are compatible with the purpose of the data processing.
  5. Personal data concerning a person’s religious or philosophical beliefs, race, political opinion, and sexual life may only be processed if and to the extent necessary in addition to the provision of personal data concerning a person’s health as referred to in paragraph 2 of this article.
  6. Personal data can only be disclosed without the consent of the data subject for the purpose of scientific research and statistics if:
  1. The research serves a general interest,
  2. The processing is necessary for the research or statistics in question,
  3. Obtaining explicit consent proves impossible or would involve a disproportionate effort, and
  4. Measures are in place to ensure that the data subject’s privacy is not disproportionately affected.

 

ARTICLE 9. REPRESENTATION

  1. If the data subject (here the patient) is younger than twelve years old, the parents exercising parental authority or the guardian shall act on behalf of the data subject.
  2. The same applies to a patient who has reached the age of twelve and cannot be reasonably expected to assess their own interests regarding the matter.
  3. If the patient falls within the age range of twelve to sixteen and is capable of reasonably assessing their own interests, in addition to the patient, their parents shall act on their behalf.
  4. If the patient is sixteen years of age or older and cannot be reasonably expected to assess their own interests, the following persons shall act as representatives for the patient in the order presented here (*12):
  1. The curator or mentor if the patient is under guardianship or a guardianship has been established for them;
  2. The personally authorized individual if the patient has authorized them in writing, unless this person does not act;
  3. The spouse or other life partner of the patient, unless this person does not wish to act or is absent;
  4. A child, sibling, or relative of the patient, unless this person does not wish to act.
  1. However, even if the patient is sixteen years of age or older or another data subject has reached the age of eighteen and is capable of reasonably assessing their own interests, they have the option to authorize another person in writing to act as their representative.
  2. The consent may be revoked at any time by the data subject or their representative.
  3. The person acting on behalf of the data subject shall exercise the care of a good representative. They are obliged to involve the data subject as much as possible in the fulfillment of their tasks.
  4. If a representative acts on behalf of the data subject, the Management shall fulfill its obligations arising from the law and this regulation towards this representative, unless such compliance is incompatible with the care of a responsible party.

 

ARTICLE 10. RIGHT OF ACCESS AND COPY OF RECORDED PERSONAL DATA

  1. The data subject has the right to access the processed data concerning them.
  2. The requested access and/or copy shall take place as soon as possible but no later than within four weeks, respectively.
  3. Weighty interests of parties other than the requester, including the Management, may be a grounds for restricting access and copy.
  4. A reasonable fee may be charged for the provision of a copy, which shall not exceed EUR 4.50 for the first 100 copies (Official Gazette of the Kingdom of the Netherlands decree of 13 June 2001, number 305).

 

ARTICLE 11. RIGHT TO SUPPLEMENT, CORRECT, OR DELETE RECORDED PERSONAL DATA

  1. Upon request, the recorded data shall be supplemented with a declaration provided by the data subject regarding the recorded data.
  2. The data subject may request the correction of data concerning them if such data is factually incorrect, incomplete, irrelevant for the purpose of processing, or in violation of a legal provision.
  3. The data subject may request the deletion of data concerning them.
  4. The management (for both patient data and personnel data) shall provide a written notification to the requester within four weeks of receiving a written request for correction or deletion, indicating whether, and to what extent, the request will be fulfilled. A refusal shall be substantiated.
  5. The management shall ensure that a decision regarding correction, supplementation, deletion, or restriction is implemented as soon as possible.
  6. The management shall ensure the deletion of data (*13) within three months following a relevant request from the data subject, unless it is reasonably evident that preservation is of significant interest to someone other than the data subject, or when retention is required by a legal provision.

 

ARTICLE 12. RETENTION OF DATA

  1. In compliance with legal provisions, the management determines the duration for which recorded personal data shall be retained. These retention periods are as follows:
  1. For medical and care data: generally fifteen years from the moment of creation or for a longer period as reasonably derived from the care of a competent healthcare provider or a responsible party. In the case of Health Butler BV, the moment of creation is considered to be the patient’s last consultation, i.e., the last time the file was used for treatment purposes.
  2. For data within the scope of the BOPZ (Mental Health Act): generally five years from the date of creation or termination of treatment, or for a longer period as reasonably derived from the care of a competent healthcare provider or a responsible party.
  3. For non-medical data: not longer than necessary for the purposes for which they were collected or subsequently processed, unless anonymized, if and to the extent that they are solely preserved for historical, statistical, or scientific purposes. An overview of retention periods is provided in an appendix.
  4. The appendix, which is an integral part of the privacy policy, contains the overview of retention periods.
  1. If the retention period for healthcare data has expired or if the data subject requests deletion before the applicable retention period expires, the relevant medical personal data shall be deleted within a period of three months.
  2. However, deletion shall be omitted when it is reasonably evident that preservation is of significant interest to someone other than the data subject, or when retention is required by a legal provision, or when there is agreement between the data subject and the management.

 

ARTICLE 13. COMPLAINTS

If the data subject believes that the provisions of this policy are not being complied with or has other reasons to complain, they may address:

  1. The management; b. The complaints committee functioning within the institution, in accordance with the independent complaints handling scheme; c. The Dutch Data Protection Authority (CBP) in accordance with the Dutch Data Protection Act (WBP) to request an investigation into whether the manner of data processing by the Management complies with the WBP or to exercise the appeal possibilities provided in Chapter 8 of the WBP.

 

ARTICLE 14. AMENDMENTS, ENTRY INTO FORCE, AND ACCESSIBILITY OF THIS POLICY

  1. Amendments to this policy shall be determined by the management and implemented under the responsibility of the management.
  2. The amendments to the policy shall come into effect four weeks after they have been communicated to the individuals concerned.
  3. This policy entered into force on September 1, 2016, and can be requested from the secretariat. It is also available for viewing on the website.

2* The management shall ensure appropriate technical and organizational measures are implemented to safeguard against loss or any form of unlawful processing.

3* The management must ensure that the data subject is adequately informed before consent can be given (known as informed consent). This explicit consent does not need to be given in writing and can also be inferred from words or behavior.

4* Examples of agreements include the medical treatment agreement and the lease agreement.

5* For example, data provision in accordance with Article 22 of the Hospital Facilities Act.

6* In this context, the responsible party under the BOPZ (Mental Health Act) and/or WMO (Social Support Act) should also be involved.

7* This general notification can be done, for example, by distributing an information brochure or by including information about the policy and the processing of personal data in the house rules.

8* Since the processing of data is carried out by a healthcare institution, it can generally be assumed that the data subject knows or can reasonably be aware that data processing is taking place. Notification to the individual data subject may be omitted. It is sufficient to provide a general notification of the existence of the processing and this policy. However, this is different if purposes other than healthcare provision are an independent objective of the processing, such as scientific research. In that case, it cannot be assumed without further notice that the data subject is aware of this objective.

9* Failure to comply with the obligation to provide information will result in unlawful processing. See also Article 5, paragraph 1.

10* Explicit consent: the data subject must have expressed their consent in words, writing, or behavior to the processing of their personal data.

11* Processing of personal data concerning hereditary characteristics relating to individuals other than those from whom the data was originally obtained is also not permitted without the explicit consent of the data subject or any family member to whom the data also relates.

12* The categories of representatives mentioned here correspond to those mentioned in the Medical Treatment Agreements Act (WGBO) and the BOPZ.

13* The term “deletion” should also be understood to include destruction.



Copyrights 2023 Health Butler | All Rights Reserved