Article 1. General
Article 2. Definitions
For the sake of clarity, we briefly indicate what we mean by certain terms:
1. Personal data: all data by means of which the patient can be identified.
3. Processing/Processing: an operation of Personal Data, whether or not carried out through automated processes, such as collecting, recording, organizing, storing, updating, changing, retrieving, consulting, using, providing by means of transmission, dissemination or any other form of making available, bringing together, linking, as well as blocking, erasure or destruction of personal data.
4.Processor: the person who takes care of the Processing of Personal Data for the dental practice, without being subject to his direct authority, such as auxiliary persons hired by the controller.
5.Data subject:the person to whom the personal data relate, generally the patient.
6.Implementing Act: the General Data Protection Regulation Implementation Act.
7. Regulation: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 /EC (PbEU 2016, L 119).
9.Pseudonymized data: Personal data that can no longer be linked to a specific data subject without the use of additional data. This additional data is stored in such a way that it cannot be linked to an identifiable person.
Article 3. How do we get the data?
Personal data originates from or is derived from data provided orally and in writing by the Data Subject or his legal representative. In addition, personal data may be provided by the health insurer, the general practitioner, other practitioners, specialists, care providers or persons or bodies other than those mentioned above.
Article 4. How and why do we process data?
1. Processing is done in a manner that is lawful, fair and transparent with regard to the Data Subject. In addition, the collection of Personal Data takes place for specific, explicit and legitimate purposes. They will not be Processed in a manner incompatible with those purposes.
2. The Processing for archiving purposes in the public interest, scientific or historical research or statistical purposes is not considered incompatible with the original purposes.
3. The Processing is only lawful if and insofar as at least one of the following conditions is met:
a. Consent of the Data Subject;
b. Entering into and performing a treatment (agreement);
c. Safeguarding a vital interest of the Data Subject, such as emergencies;
d. To represent a legitimate interest of the Controller or a third party (for example, business continuity);
e. Need to one to comply with a legal obligation or an agreement with the Data Subject.
4. Personal Data will only be Processed insofar as they are adequate, relevant and limited to what is necessary in view of the purposes for which they are Processed.
5. Tandartspraktijk Kockengen processes Personal Data for the following purposes:
a. Treatment of the Data Subject;
b. Informing and contacting the Data Subject(s);
c. Financial administration;
d. Good functioning of the website.
Article 5. Conditions for consent
1. The Controller can demonstrate that the Data Subject has given consent to the Processing.
2. The Data Subject can always withdraw a given consent.
Article 6. Other data
Article 7. What data is involved?
Processing can be on the following categories of data:
a. Surname, first names, initials, title, gender, date of birth, address, postal code, place of residence, telephone number and similar data required for communication, as well as payment details of the Data Subject;
b. Administration number that does not contain any information other than under a;
c. Data as referred to under a, of the parents, guardians or caretakers of minor Data Subjects;
d. Data as referred to under a of the family members or relatives of the Data Subject as well as others who are informed about the well-being and health of the Data Subject;
e. Information about the health status of the Data Subject and, in the case of hereditary disorders, his family members and relatives;
f. Other special Personal Data with a view to the proper treatment or care of the Data Subject;
g. Information about the treatment followed and to be followed by the Data Subject as well as the medicines or facilities provided;
h. Information about calculating, recording and collecting the compensation;
i. Information about the Data Subject’s insurance;
j. Other data necessary for the treatment.
Article 8. Information obligation
1. Before Processing Personal Data, the Controller shall inform the Data Subject and/or his legal representative:
a. Who is responsible for the processing with contact details;
b. Why certain, concrete Personal Data will be Processed;
c. If applicable, the contact details of the data protection officer;
d. How the Personal Data is Processed;
e. The period for which the Personal Data will be stored or, if that is not possible, the criteria for determining it erm;
f. Any other information required to be provided for due diligence. This also means: The more sensitive the Personal Data that the Controller wants to Process, the more thorough information must be provided.
2. If Personal Data is requested via a third party, or provided to a third party, the information obligation will be met in the same way before the Personal Data are obtained or supplied, unless this can only be done with a disproportionate effort.
Article 9. Right of access
1. The Data Subject has the right to view his Personal Data and can request the following data:
a. A description of the purpose or purposes of the Processing of Personal Data;
b. All available data regarding the origin of the Personal Data; c. The categories of data to which the Processing relates;
d. An overview of recipients or categories of recipients who have received the Personal Data;
e. If possible, the period for which the Personal Data is expected to be stored, or if that is not possible, the criteria for determining that period;
f. That the Data Subject has the right to rectification, the right to erasure and the right to restriction of processing.
2. A request for inspection may be rejected on the following grounds:
a. The requester is not a Data Subject or his/her request does not relate to data relating only to the requester;
b. The applicant has not yet reached the age of 16 and/or has been placed under guardianship. In that case, only the legal representative can make the request;
c. The controller has already recently complied with a similar request from the same applicant;
d. Protection of the Data Subject or of the rights and freedoms of others;
e. Because of the security of the state, and/or the prevention, detection and prosecution of criminal offenses.
Article 10. Other rights
1. The Data Subject has the right to object at any time to the Processing of Personal Data concerning him. The Processing is stopped by the Controller in the event of an objection.
2. The Data Subject has the right to obtain from the Controller without undue delay the rectification of incorrect Personal Data concerning him.
3. The Data Subject has the right to obtain from the Controller the erasure of Personal Data concerning him without undue delay.
In addition, the Controller is obliged to delete data without undue delay when the Data Subject has withdrawn his consent or the Controller no longer needs the Personal Data for the purposes for which it was collected.
4. The Data Subject has the right of the Controller to obtain restriction of the Processing if the accuracy of the Personal Data is contested by him.
5. The Data Subject has the right to obtain the Personal Data concerning him, which he has provided to the Responsible Party, in a structured, commonly used and machine-readable format.
Article 11. The exercise of rights by the Data Subject
Article 12. Access to and Recipients of Personal Data
1. In principle, only those who are directly involved in the implementation of the treatment of the Data Subject have access to Personal Data, insofar as such access is necessary for their work.
2. When Processing is carried out on behalf of the Controller, the Controller only calls on Processors who provide adequate guarantees that the Personal Data will be Processed in accordance with the Regulation, the Implementation Act or regulations based thereon.
3. For the rest, access/Personal data may be provided to the following persons and authorities:
a. Investigators as referred to in Section 7:458 of the Dutch Civil Code;
b. Health insurers insofar as necessary with a view to the obligations under the insurance contract;
c. Third parties charged with collecting claims insofar as access/provision is necessary and it does not concern medical data;
1. Others, when the basis of the Processed data is: (i) Consent of the Data Subject;
2. (ii) A need to comply with a legal obligation;
3. (iii) Safeguarding a vital interest of the Data Subject.
5. Others, when further Processing is for historical, statistical or scientific purposes, if the Controller has taken the necessary measures to ensure that further Processing is exclusively for these purposes.
Article 13. Register
The Controller keeps a register of the processing activities that take place under its responsibility. This register contains the following information:
a. The name and contact details of the Controller and, if applicable, of the data protection officer;
b. The processing purposes;
c. The categories of data to which the Processing relates;
d. The categories of recipients to whom Personal Data is disclosed;
e. If possible, the envisaged period within which the Personal Data must be erased;
f. If possible, a description of the technical and organizational measures taken.
Article 14. Notification of infringement
1. If a breach in connection with Personal Data has taken place, the Responsible Party will inform the Data Subject and the Dutch Data Protection Authority of this as soon as possible after becoming aware of this, if and insofar as required by law.
2. The notification referred to in the first paragraph contains at least:
a. The nature of the breach;
b. The likely consequences of the breach;
c. The measures taken by the Controller as a result of the breach; d. A point of contact for more information.
Article 15. Retention periods
1. Medical data obtained to enter into or fulfill a treatment agreement will be kept for 15 years. The Controller is not obliged to retain longer periods than required by law, in particular Article 7:454 paragraph 3 of the Dutch Civil Code.
2. Other Personal Data will not be kept for longer than is necessary for the purposes for which it was Processed. If that Personal Data is no longer needed, it will be deleted.
Article 16. Confidentiality
1. The Controller, the Processor and anyone who has access to Personal Data under the authority of the Controller are obliged to maintain the confidentiality of the Personal Data.
2. Data relating to the health of the Data Subject(s) are regarded as ‘special Personal Data’. With regard to the Processing of special Personal Data, everyone who Processes it has a duty of confidentiality. This arises from the position, profession or employment contract of the person concerned.
Article 17. Security
1. The Controller must ensure appropriate technical and organizational measures to secure Personal Data.
2. ‘Appropriate’ means that the security measures taken are appropriate to the risk of the Personal Data being Processed carelessly or unlawfully (further) and the damage that would result from this. The measures taken must ensure that:
a. Only authorized persons have access to Personal Data;
b. The Personal Data is correct and will not be lost;
c. The Personal Data are available without hindrance for lawful Processing in accordance with the agreements within the organization.
3. In all cases, the Responsible Party is responsible for the information security policy and propagates this policy within the dental practice.
Article 18. Final provisions
1. The Controller does not accept any more obligations than what he is obliged to under the law, unless agreed otherwise in writing with the Data Subject.
2. The Data Subject has the right to lodge a complaint with the supervisory authority.
For questions or to exercise the rights of the Data Subject, please contact Smile Design Center on the telephone number:0346 241155