Privacy declaration

Article 1. General

Dental practice Leidschendam ensures that (special) Personal Data of patients is handled with care. We comply with applicable laws and regulations, including the General Data Protection Regulation. With these Privacy Regulations we would like to inform you in more detail about our policy.

Article 2. Definitions

For the sake of clarity, we briefly indicate what we mean by certain terms:

• Personal data: all data by which the patient can be identified.
• Responsible: the controller, as referred to in Article 4(7) of the Regulation. For these privacy regulations the dental practice.
• Processing/Processing: any processing of personal data, whether or not carried out by automated processes, such as collecting, recording, organizing, storing, updating, modifying, retrieving, consulting, using, providing by transmission, dissemination or any other form of making available, bringing together, with each other connection, as well as the blocking, erasure or destruction of Personal Data.
• Processor: the person who is responsible for the Processing of Personal Data on behalf of the dental practice, without being subject to his direct authority, such as assistants hired by the Controller.
• Data subject: the person to whom the Personal Data relates, in general the patient.
• Implementation Act: the Implementation Act of the General Data Protection Regulation.
• Regulation: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (OJEU 2016, L 119).
• Privacy regulations: this document.
• Pseudonymized data: Personal data that can no longer be linked to a specific data subject without additional data being used. This additional data is stored in such a way that it cannot be linked to an identifiable person.

Article 3. How do we obtain the data?

Personal data originates or is derived from data provided orally and in writing by the Data Subject or his legal representative. Personal data may also be provided by the health insurer, the general practitioner, other practitioners, specialists, care providers or persons or institutions other than the aforementioned.

Article 4. How and why do we process data?

• Processing is carried out in a manner that is lawful, fair and transparent with regard to the Data Subject. In addition, the collection of Personal Data is for certain, expressly described and legitimate purposes. Their Processing does not take place in a manner incompatible with those purposes.
• Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered incompatible with the original purposes.
• The Processing is only lawful if and to the extent that at least one of the conditions below is met:
  
  • Consent of the Data Subject;
  • Entering into and carrying out a treatment (agreement);
  • Safeguarding a vital interest of the Data Subject, such as emergencies;
  • Promoting a legitimate interest of the Controller or a third party (for example business continuity);
  • Necessity to comply with a legal obligation or an agreement with the Data Subject.
  • Personal data are only Processed to the extent that they are sufficient, relevant and limited to what is necessary, taking into account the purposes for which they are Processed.
  • The dental practice processes Personal Data for the following purposes:
    
    • Treatment of the Data Subject;
    • Informing and contacting the Data Subject(s);
    • Financial administration;
    • Good functioning of the website.
    • Conducting patient satisfaction surveys

Article 5. Conditions for consent

• The Controller can demonstrate that the Data Subject has given permission for the Processing.
• The Data Subject can always withdraw given consent.

Article 6. Other information

Anonymized data does not fall under the scope of these Privacy Regulations.

Article 7. What data is involved?

Processing may relate to the following data categories:

• Surname, first names, initials, title, gender, date of birth, address, postal code, place of residence, telephone number and similar data required for communication, as well as payment details of the Data Subject;
• An administration number that does not contain any information other than under a;
• Data as referred to under a, of the parents, guardians or caretakers of minor Data Subjects;
• Data as referred to under a of the family members or relatives of the Data Subject as well as others who are informed about the well-being and health of the Data Subject;
• Information about the health status of the Data Subject and, in the event of hereditary disorders, his family members and relatives;
• Other special Personal Data with a view to the proper treatment or care of the Data Subject;
• Information about the treatment followed and to be followed by the Data Subject as well as the medication or facilities provided;
• Information about calculating, recording and collecting the compensation;
• Information about the insurance of the Data Subject;
• Other data necessary for the treatment.

Article 8. Information obligation

• Before the Controller Processes Personal Data, he informs the Data Subject and/or his legal representative:
  
  • Who is responsible for the processing with contact details;
  • Why certain, concrete Personal Data will be Processed;
  • If applicable, the contact details of the data protection officer;
  • How the Personal Data are Processed;
  • The period for which the Personal Data will be stored, or, if that is not possible, the criteria for determining that period;
  • All other information that must be provided for the purpose of due care. This also means: The more sensitive the Personal Data that the Controller wants to Process, the more thorough information must be provided.
  • If Personal Data is requested via a third party, or is supplied to a third party, the information obligation is met in the same way before the Personal Data is obtained or supplied, unless this can only be done with a disproportionate effort.

Article 9. Right of access

• The Data Subject has the right to view his Personal Data and can request the following information:
  
  • A description of the purpose or purposes of the Processing of Personal Data;
  • All available information regarding the origin of the Personal Data;
  • The categories of data to which the Processing relates;
  • An overview of recipients or categories of recipients who have received the Personal Data;
  • If possible, the period for which the Personal Data is expected to be stored, or if that is not possible, the criteria for determining that period;
  • That the Data Subject has the right to rectification, the right to erasure of data and the right to restriction of processing.
  • A request for access may be rejected for the following reasons:
    
    • The requester is not a Data Subject or his/her request does not relate to data that relate only to the requester;
    • The applicant has not yet reached the age of 16 and/or has been placed under guardianship. In that case, only the legal representative can make the request;
    • The controller has already recently responded to a similar request from the same applicant;
    • Protection of the Data Subject or of the rights and freedoms of others;
    • For the security of the state and/or the prevention, detection and prosecution of criminal offences.

Article 10. Other rights

• The Data Subject has the right to object at any time to the Processing of Personal Data concerning him. The Processing will be stopped by the Controller in the event of an objection.
• The Data Subject has the right to obtain from the Controller without delay rectification of incorrect Personal Data concerning him or her.
• The Data Subject has the right to obtain from the Controller the erasure of Personal Data concerning him or her without unreasonable delay.

In addition, the Controller is obliged to delete data without unreasonable delay when the Data Subject has withdrawn his consent or the Controller no longer needs the Personal Data for the purposes for which it was collected.

• If the Data Subject disputes the accuracy of the Personal Data, he or she has the right to obtain a restriction of the Processing from the Controller.
• The Data Subject has the right to receive the Personal Data concerning him, which he has provided to the Controller, in a structured, commonly used and machine-readable form.

Article 11. The exercise of rights by the Data Subject

The Controller takes appropriate measures so that the Data Subject receives the communication or information regarding the rights described in these Privacy Regulations in a concise, transparent and accessible manner and in clear words.

Article 12. Access to and Recipients of Personal Data

• In principle, only those who are directly involved in carrying out the treatment of the Data Subject have access to Personal Data, to the extent that access is necessary for their work.
• When Processing is carried out on behalf of the Controller, the Controller only calls on Processors who provide adequate guarantees that the Personal Data are Processed in accordance with the Regulation, the Implementation Act or regulations based thereon.
• Otherwise, access may be granted/personal data may be provided to the following persons and authorities:
  
  • Researchers as referred to in Article 7:458 of the Civil Code;
  • Health insurers to the extent necessary in view of the obligations under the insurance agreement;
  • Third parties charged with collecting claims insofar as access/provision is necessary and it does not concern medical data;
  • Others, when the basis for the Processed Data is:

(i) Consent of the Data Subject;

(ii) A need to comply with a legal obligation;

(iii) Safeguarding a vital interest of the Data Subject.

• Others, when further Processing is carried out for historical, statistical or scientific purposes, if the Controller has taken the necessary measures to ensure that further Processing is carried out exclusively for these purposes.

Article 13. Register

The Controller keeps a register of the processing activities that take place under its responsibility. This register contains the following information:

• The name and contact details of the Controller and, if applicable, of the data protection officer;
• The processing purposes;
• The categories of data to which the Processing relates;
• The categories of recipients to whom Personal Data is provided;
• If possible, the intended period within which the Personal Data should be deleted;
• If possible, a description of the technical and organizational measures taken.

Article 14. Notification of infringement

• If a breach has occurred in connection with Personal Data, the Controller will inform the Data Subject and the Dutch Data Protection Authority as soon as possible after becoming aware of this, if and to the extent required by law.
• The notification referred to in the first paragraph shall contain at least:
  
  • The nature of the infringement;
  • The likely consequences of the infringement;
  • The measures taken by the Controller as a result of the infringement;
  • A point of contact for more information.

Article 15. Retention periods

• Medical data obtained to enter into or fulfill a treatment agreement will be kept for 15 years. The Controller is not obliged to longer retention periods than required by law, in particular Article 7:454 paragraph 3 of the Civil Code.
• Other Personal Data will not be kept for longer than is necessary for the purposes for which they were Processed. When that Personal Data is no longer needed, it will be deleted.

Article 16. Confidentiality

• The Controller, the Processor and anyone who has access to Personal Data under the authority of the Controller are obliged to maintain the confidentiality of the Personal Data.
• Data relating to the health of the Data Subject(s) are regarded as 'special Personal Data'. When processing special Personal Data, everyone who Processes them has a duty of confidentiality. This arises from the office, profession or employment contract of the person.

Article 17. Security

• The Controller must ensure appropriate technical and organizational measures to protect Personal Data.
• 'Appropriate' means that the security measures taken are appropriate to the risk that the Personal Data will be (further) Processed carelessly or unlawfully and the damage that would result from this. The measures taken must ensure that:
  
  • Only authorized persons have access to Personal Data;
  • The Personal Data is correct and will not be lost;
  • The Personal Data are available without hindrance for lawful Processing in accordance with the agreements within the organization.
  • In all cases, the Controller is responsible for the information security policy and promotes this policy within the dental practice.

Article 18. Final provisions

• The Controller does not accept more obligations than those to which he is obliged by law, unless otherwise agreed in writing with the Data Subject.
• The Data Subject has the right to file a complaint with the supervisory authority.
• Changes to these Privacy Regulations are made by the Controller. The changes to the Privacy Regulations apply to the Data Subject(s) after the Data Subject(s) have been informed of the change.
• This Privacy Policy is effective as of  entered into force on 01-09-2022.