Privacy policy

Name of dental practice: Pro-tand
Practice address: Hovenstraat 135, 6374 EM Landgraaf
Email address: info@pro-tand.eu
Phone number: 045-5333355

Article 1. General
The dental practice ensures that (special) personal data of patients is handled with care. We adhere to the applicable laws and regulations, including the General Data Protection Regulation. With this privacy policy, we want to inform you in more detail about our policy.

Article 2. Definitions

For the sake of clarity, we briefly indicate what we mean by certain terms:

  1. Personal data: all data by means of which the patient can be identified.
  2. Controller: the controller, as referred to in Article 4 paragraph 7 of the Regulation. For this privacy policy, the dental practice.
  3. Processing: an operation of personal data, whether or not carried out via automated processes, such as collecting, recording, organizing, storing, updating, modifying, retrieving, consulting, using, providing by means of transmission, distribution or any other form of making available, combining, linking, as well as shielding, erasing or destroying Personal Data.
  4. Processor: the person who takes care of the Processing of Personal Data on behalf of the dental practice, without being subject to its direct authority, such as auxiliary persons hired by the Controller.
  5. Data subject: the person to whom the Personal Data relates, generally the patient.
  6. Implementing Act: the Implementing Act General Data Protection Regulation.
  7. Regulation: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (OJEU 2016, L 119).
  8. Privacy policy: this document.
  1. Pseudonymized data: Personal Data that can no longer be linked to a specific data subject without the use of additional data. This additional data is stored in such a way that it cannot be linked to an identifiable person.

Article 3. How do we obtain the data?

Personal data comes from or is derived from data that is provided orally and in writing by the data subject or his/her legal representative. Personal data can also be provided by the health insurer, the general practitioner, other practitioners, specialists, healthcare providers or persons or bodies other than the aforementioned.

Article 4. How and why do we process data?

  1. Processing takes place in a manner that is lawful, fair and transparent in relation to the data subject. In addition, the collection of personal data takes place for specified, explicitly defined and justified purposes. The processing thereof does not take place in a manner incompatible with those purposes.
  2. Processing for archiving purposes in the public interest, scientific or historical research or statistical purposes is not regarded as incompatible with the original purposes.
  3. The processing is only lawful if and to the extent that at least one of the following conditions is met:
    1. Consent of the data subject;
    2. Entering into and executing a treatment (agreement);
    3. Protecting a vital interest of the data subject, such as emergencies;
    4. Promoting a legitimate interest of the controller or of a third party (for example, business continuity);
    5. Necessity to comply with a legal obligation or an agreement with the data subject.
    6. Personal data is only processed to the extent that it is adequate, relevant and limited to what is necessary for the purposes for which it is processed.
  4. The dental practice processes personal data for the following purposes:
    1. Treatment of the data subject;
    2. Informing and contacting data subject(s);
    3. Financial administration;
    4. Proper functioning of the website.

Article 5. Conditions for consent

  1. The controller can demonstrate that the data subject has given consent to the processing.
  2. The data subject can always withdraw a given consent.

Article 6. Other data

Anonymized data is not covered by this privacy policy.

Article 7. What data is involved?

Processing may relate to the following data categories:

  1. Name, first names, initials, title, gender, date of birth, address, postal code, place of residence, telephone number and similar data required for communication, as well as payment details of the data subject;
  2. An administration number that contains no information other than under 1;
  3. Data as referred to under 1, of the parents, guardians or carers of minor data subjects;
  4. Data as referred to under 1 of the family members of the data subject as well as others who are informed about the well-being and health of the data subject;
  5. Information about the state of health of the data subject and, in the case of hereditary conditions, his/her family members;
  6. Other special personal data for the purpose of the proper treatment or care of the data subject;
  7. Information about the treatment followed and to be followed by the data subject as well as the medicines or facilities provided;
  8. Information about calculating, recording and collecting the compensation;
  9. Information about the insurance of the data subject;
  10. Other data that is necessary for the treatment.

Article 8. Information obligation

Before the controller processes personal data, he/she informs the data subject and/or his/her legal representative:

    1. Who is responsible for the processing with contact details;
    2. Why certain, concrete personal data will be processed;
    3. If applicable, the contact details of the data protection officer;
    4. In what way the personal data is processed;
    5. The period during which the personal data will be stored, or, if that is not possible, the criteria for determining that period;
    6. All other information that must be provided for the sake of due care. That also means: The more sensitive the personal data that the controller wants to process, the more thoroughly information must be provided.

If personal data is requested via a third party, or delivered to a third party, then the information obligation is fulfilled in the same way, before the personal data is obtained or delivered, unless this can only be done with disproportionate effort.

Article 9. Right of access

  1. The data subject has the right to access his/her personal data and can request the following data:
    1. A description of the purpose or purposes of the processing of personal data;
    2. All available data regarding the origin of the personal data;
    3. The categories of data to which the processing relates;
    4. An overview of recipients or categories of recipients who have received the personal data;
    5. If possible, the period for which the personal data is expected to be stored, or if that is not possible, the criteria for determining that period;
  1. A request for access can be rejected on the following grounds:
    1. The applicant is not a data subject or his/her request does not relate to data that only relates to the applicant;
    2. The applicant has not yet reached the age of 18 and/or has been placed under guardianship. In that case, only the legal representative can make the request;
    3. The controller has already recently complied with a similar request from the same applicant;
    4. Protection of the data subject or of the rights and freedoms of others;
  2. Due to the security of the state, and/or the prevention, detection and prosecution of criminal offenses.

Article 10. Other rights

  1. The data subject has the right to object at any time to the processing of personal data concerning him/her. The processing is stopped by the controller in the event of objection.
  2. The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him/her.
  3. The data subject has the right to obtain from the controller without unreasonable delay the erasure of personal data concerning him/her.

In addition, the controller is obliged to erase data without undue delay when the data subject has withdrawn his/her consent or the controller no longer needs the personal data for the purposes for which it was collected.

  1. The data subject has the right to obtain restriction of the processing from the controller if the accuracy of the personal data is disputed by him/her.
  2. The data subject has the right to receive the personal data concerning him/her, which he/she has provided to the controller, in a structured, commonly used and machine-readable format.

Article 11. The exercise of rights by the data subject

The controller takes appropriate measures so that the data subject receives the communication or information regarding the rights as described in this privacy policy in a concise, transparent and accessible manner and in clear terms.

Article 12. Access to and recipients of personal data

  1. In principle, only those who are directly involved in the execution of the treatment of the data subject have access to personal data, insofar as that access is necessary for their work.
  2. When processing is carried out on behalf of the controller, the controller only uses processors who provide sufficient guarantees that the personal data is processed in accordance with the regulation, the implementing act or regulations based thereon.
  3. For the rest, access can be granted/personal data can be provided to the following persons and bodies:
  4. Researchers as referred to in Article 7:458 of the Dutch Civil Code;
  5. Health insurers insofar as necessary for the purpose of the obligations under the insurance agreement;
  6. Third parties who are responsible for collecting claims insofar as access/provision is necessary and it does not concern medical data;
  7. Others, when the basis of the processed data is:
    • Consent of the data subject;
    • A necessity to comply with a legal obligation;
    • Protecting a vital interest of the data subject.
  8. Others, when the further processing takes place for historical, statistical or scientific purposes, if the controller has taken the necessary measures to ensure that further processing only takes place for these purposes.

Article 13. Register

The controller keeps a register of the processing activities that take place under its responsibility. This register contains the following data:

  1. The name and contact details of the controller and, if applicable, of the data protection officer;
  2. The processing purposes;
  3. The categories of data to which the processing relates;
  4. The categories of recipients to whom personal data is provided;
  5. If possible, the intended period within which the personal data must be erased;
  6. If possible, a description of the technical and organizational measures taken.

Article 14. Breach notification

  1. If a breach in connection with personal data has taken place, the controller shall notify this – if and insofar as legally required – as soon as possible after he/she has become aware of this to the data subject and the Dutch Data Protection Authority.
  2. The notification referred to in the first paragraph contains at least:
    1. The nature of the breach;
    2. The likely consequences of the breach;
    3. The measures that the Controller has taken as a result of the breach;
    4. A contact point for more information.

Article 15. Retention periods

  1. Medical data that has been obtained to enter into or fulfill a treatment agreement is kept for 20 years. The controller is not obliged to longer retention periods than required by law, in particular Article 7:454 paragraph 3 of the Dutch Civil Code.
  2. Other personal data is not kept longer than necessary for the purposes for which it was processed. If that personal data is no longer needed, it will be deleted.

Article 16. Confidentiality

  1. The Controller, the processor and everyone who has access to personal data under the authority of the Controller are obliged to maintain the confidentiality of the personal data.
  2. Data relating to the health of data subject(s) are designated as ‘special personal data’. For the Processing of special personal data, everyone who Processes them has a duty of confidentiality. This arises from the office, profession or from the employment contract of that person.

Article 17. Security

  1. The Controller must ensure appropriate technical and organizational measures to protect personal data.
  2. ‘Appropriate’ means that the security measures taken are appropriate to the risk that the personal data will be processed carelessly or unlawfully (further) and the damage that would result from this. The measures taken must ensure that:
    1. Only authorized persons have access to personal data;
    2. The personal data is correct and is not lost;
    3. The personal data is available without hindrance for lawful processing in accordance with the agreements within the organization.
    4. In all cases, the Controller is responsible for the information security policy and disseminates this policy within the dental practice.

Article 18. Final provisions

  1. The controller does not accept more obligations than what he/she is obliged to do under the law, unless otherwise agreed in writing with the data subject.
  2. The data subject has the right to submit a complaint to the supervisory authority.
  3. Changes to this privacy policy are made by the controller. The changes to the privacy policy are effective with respect to data subject(s) after data subject(s) have been informed of the change.
  4. This privacy policy came into effect on 25-05-2018 and can be viewed at the dental practice.

 

For questions or to exercise the rights of the data subject, you can contact the data protection officer of pro-tand via info@pro-tand.eu.

Copyright © 2023 | Bee In Media