Make an appointment now for a no-obligation (video)consultation.

Make an appointment

PRIVACY RULES

9,0

out of 621 reviews

13.500+

Clients

35.700+

Treatments done

Article 1. Definitions

Article 1. Definitions

1. Kliniek Dokter Frodo: treatment center for Botox, fillers and medical skin improvement.
2. Management: the management of Kliniek Dokter Frodo.
3. Personal data: any data concerning an identified or identifiable natural person.
4. Healthcare data: personal data that directly or indirectly relate to the physical or mental condition of those involved, collected by a healthcare professional in the context of his professional practice.
5. Processing of personal data: any act or set of acts relating to personal data, including in any case the collection, recording, organization, storage, updating, modification, retrieval, consultation, use, disclosure by transmission, dissemination or any other form of making available, bringing together, linking together, as well as blocking, erasing or destroying data.
6. Providing personal data: disclosing or making data available.
7. Collection of personal data: obtaining personal data.
8. File: any structured set of personal data, regardless of whether this set of data is centralized or distributed in a functionally or geographically determined manner, which is accessible according to certain criteria and relates to different persons.
9. Responsible: the management.
10. Processor: the person who processes personal data on behalf of the controller, without being subject to his direct authority.
11. Data subject: the person to whom personal data relates.
12. Third party: anyone, other than the data subject, the controller, the processor, or any person who is authorized under the direct authority of the controller or the processor to process personal data.
13. Recipient: the person to whom the personal data is provided.
14. Consent of the data subject: any free, specific and information-based expression of will by which the data subject accepts that personal data concerning him/her will be processed.
15. CBP: the Personal Data Protection Board, the Board whose task is to supervise the processing of personal data.
16. WBP: the Personal Data Protection Act.
17. WGBO: the Medical Treatment Agreement Act.
18. The BIG Act: the Individual Health Care Professions Act.
19. Together Act: the Act on the Stimulation of Labor Participation of Minorities.
20. BOPZ: the Special Admissions in Psychiatric Hospitals Act.
21. Complaints Committee: the committee established in accordance with the Complaints Act.

Article 2. Scope

Article 2. Scope

These regulations apply to the fully or partially automated processing of personal data, as well as to the non-automated processing of personal data that are included in a file or that are intended to be included therein. The personal data processed at Kliniek Dokter Frodo  mainly concerns patient and staff data.

Article 3. General provisions

Article 3. General provisions

1. Management is responsible for establishing the general objectives of the processing systems used.
2. Without prejudice to the general objectives set by the management, personal data will only be processed: with the consent of the data subject and/or from the point of view of an obligation under the law such as the WGBO, the WBP, the BIG Act, the “Samen Act” and/or to safeguard a vital interest of the data subject.
3. The management is responsible for ensuring that the standards set by law and reflected in these regulations are observed when processing personal data.
4. The management can appoint an officer who, in the context of data protection, supervises the processing of personal data in accordance with legislation and regulations. The management is thereby bound by the legal provisions applicable to a privacy officer, among other things, the officer must be registered with the Dutch DPA.

Article 4. Purpose

Article 4. Purpose

1. These regulations apply within Kliniek Dokter Frodo en and relate to the categories of data processing and purposes as referred to in appendix 1a and the overview drawn up by the institution of the processing of personal data (see appendix 1b, which forms a whole with the regulations and periodically is tested by Kliniek Dokter Frodo  for mutations to be introduced).
2. The purpose of these regulations is to provide a practical elaboration of the provisions of the WBP and, insofar as applicable, the provisions of other acts such as the WGBO, the BOPZ, the General Taxes Act and the Samen Act.
3. Within the objective of these regulations, no other data will be included than described under Article 1.

Article 5. Conditions for lawful processing

Article 5. Conditions for lawful processing

1. Personal data will be processed in a proper and careful manner in accordance with these regulations.
2. Personal data will not be further processed in a way that is incompatible with the purposes for which they were obtained.
3. Personal data shall only be processed to the extent that they are adequate, relevant and not excessive in view of the purposes for which they are collected or subsequently processed.
4. The management is responsible for the proper functioning of the processing of personal data. His conduct with regard to the processing of personal data and the provision of data is determined by these regulations (*2).

Article 6. Processing of personal data (insofar as this is not healthcare data)

Article 6. Processing of personal data (insofar as this is not healthcare data)

Personal data may only be processed if one of the following conditions is met:
a. the data subject has given his unambiguous consent for the processing;
b. this is necessary for the performance of an agreement to which the data subject is a party, or for acts performed at the request of the data subject and which are necessary for the conclusion of an agreement (*4);
c. this is necessary to comply with a legal obligation (*5);
d. this is necessary to combat a serious danger to the health of the person concerned;
e. this is necessary for the performance of a public law task (*6);
f. this is necessary for the representation of the legitimate interest of a third party to whom the data is provided and the interest of the person whose data is processed does not prevail.

Article 7. Provision of information to the data subject/data obtained from the data subject

Article 7. Provision of information to the data subject/data obtained from the data subject

1. If the personal data are obtained from the data subject himself, the employee who collects the data will inform the data subject before the time of acquisition (*7):
a. the identity of the processing organization and the purposes of the processing for which the data is intended, unless the data subject is already aware of this;
b. further information insofar as this is necessary in view of the nature of the data, the circumstances in which it is obtained or the use made of it to guarantee proper and careful processing towards the data subject (*8).

3 The management must ensure that the person concerned is sufficiently informed before consent can be given (so-called informed consent). This explicit consent does not have to be given in writing. Consent can also be evidenced by word or behaviour.

Data obtained elsewhere
2. If the personal data are not obtained directly from the data subject, the employee who collects the data will provide the data subject with the information referred to in Article 7 sub a and b, unless he or she is already aware of this:
a. At the time of recording data concerning him, or
b. when the data is intended to be provided to a third party, at the latest at the time of the first provision.
3. The employee who processes the data will provide further information insofar as this is necessary in view of the nature of the data, the circumstances under which it is obtained or the use made of it to guarantee proper and careful processing towards the data subject.
4. The provisions under 2 do not apply if the communication of the information to the data subject proves impossible or involves a disproportionate effort. In that case, the employee who collects the data records the origin of the data.
5. The provisions under 2 also do not apply if the determination or provision is prescribed by or pursuant to the law. In that case, the employee who processes the data must inform the data subject, at his request, about the legal regulation that governs the recording or provision of the data concerning him/her.
led to data.
6. If the employee who processes the data has not informed the data subject in accordance with this article, this means that the personal data has not been processed properly and carelessly (*9).

Article 8. Specific rules for the processing of healthcare data

Article 8. Specific rules for the processing of healthcare data

1. Explicit permission (*10) from the data subject is required for the processing of healthcare data, unless it concerns a case as referred to in paragraphs 2 and 6 of this article, or if disclosure is necessary for the implementation of a statutory regulation.
2. Without the consent of the person concerned, with due observance of the third paragraph, personal data relating to health may be provided for processing by Management or on its behalf:
a. Care providers, institutions or facilities for health care or social services insofar as this is necessary with a view to proper treatment or care of the person concerned; or with a view to managing the organization of management;
b. Insurers insofar as this is necessary for the assessment of the risk to be insured by the insurance institution, with the exclusion of paragraph 4 of this article and the person concerned has not objected, or insofar as this is necessary for the execution of the insurance contract.
3. The personal data will only be provided to persons or institutions that are obliged to observe secrecy by virtue of their office, profession or legal regulation or by virtue of an agreement.
4. Without prejudice to any legal regulations in this regard, only the healthcare professional who collected this data, those who are directly involved in the execution of the treatment agreement and the person who acts as a replacement for the care provider, have access to the data processing, insofar as the provision is necessary for the work to be performed by them in that context.
5. Personal data concerning hereditary characteristics may only be processed insofar as these data relate exclusively to the data subject who provided this data (*11) unless there is an important medical interest or the processing is necessary for scientific research. In the latter case, point 8 of this article applies.
6. If personal data has been anonymized in such a way that it cannot reasonably be traced back, the Management may decide to provide it for purposes that are compatible with the purpose of the data processing.
7. Personal data concerning a person’s religion or belief, race, political opinion and sexual life may only be processed if and insofar as this is necessary in addition to the provision of personal data concerning a person’s health as referred to in paragraph 2 of this article.
8. Personal data can only be provided for scientific research and statistics without the consent of the person concerned if:
a. The research is in the public interest,
b. The processing is necessary for the relevant research or the relevant statistics,
c. Requesting explicit permission proves impossible or involves a disproportionate effort and
d. During the implementation, such safeguards are provided that the privacy of the data subject is not disproportionately harmed.

Article 9. Representation

Article 9. Representation

1. If the person concerned (here the patient) is younger than twelve, the parents who exercise parental authority or the guardian take the place of the person concerned.
2. The same applies to the patient who has reached the age of twelve and who cannot be considered capable of making a reasonable assessment of his interests in this regard.
3. If the patient falls in the age category of twelve to sixteen and is capable of a reasonable assessment of his interests, his parents will act alongside the patient himself.
4. If the patient is sixteen years of age or older and cannot be considered capable of a reasonable assessment of his interests in this regard, then, in order as shown here, he will act as his representative (*12):
a. The curator or mentor if the person concerned is under guardianship or if a mentorship has been established for him;
b. The personal authorized representative if the person concerned has authorized this person in writing, unless this person does not act;
c. The spouse or other life companion of the person concerned, unless this person does not want or is absent;
d. A child, brother or sister of the person concerned, unless this person does not wish it.
5. However, even if the patient has reached the age of sixteen or another person concerned has reached the age of eighteen and is capable of a reasonable assessment of his interests, he has the option in writing to authorize another person in his place as representative to act.
6. Consent can be withdrawn at any time by the data subject or his representative.
7. The person, who takes the place of the person concerned, exercises the care of a good representative. He is obliged to involve the person concerned as much as possible in the performance of his duties.
8. If a representative acts on behalf of the person concerned, the management will fulfill its obligations under the law and these regulations towards this representative, unless such fulfillment is not compatible with the care of a properly responsible person.

Article 10. Right to access and copy recorded personal data

Article 10. Right to access and copy recorded personal data

1. The data subject has the right to take cognizance of the processed data relating to his or her person.
2. The requested inspection and/or the requested copy will take place or be provided as soon as possible, but at the latest within four weeks.
3. A possible ground for limiting access to and copying may be the weighty interests of others than the applicant, including Management.
4. A reasonable fee may be charged for the provision of a copy, which will not exceed Euro 4.50 for the first 100 copies (Official Gazette of the Kingdom of the Netherlands Decree of 13 June 2001, number 305).

Article 11. Right to supplement, correct or delete recorded personal data

Article 11. Right to supplement, correct or delete recorded personal data

1. If requested, the recorded data will be supplemented with a statement issued by the person concerned with regard to the recorded data.
2. The data subject can request the correction of data relating to him if these are factually incorrect, incomplete or irrelevant for the purpose of the processing, or if they appear in the processing in violation of a statutory provision.
3. The data subject can request the deletion of data relating to him.
4. The management (for both patient data and personal data) will provide a written message to the requester, within four weeks after receipt of the written request for correction or removal, stating whether or to what extent the request is being processed. met. A refusal shall be reasoned.
5. The management ensures that a decision to correct, supplement, remove or block is carried out as soon as possible.
6. Management is responsible for the removal (*13) of the data within three months after a request to that effect from the data subject, unless it is reasonably plausible that the retention is of significant importance for someone other than the data subject, as well as insofar as retention required by law.

Article 12. Retention of data

Article 12. Retention of data

1. With due observance of the legal provisions, the management determines how long the recorded personal data will be kept. These retention periods are:
a. For medical and healthcare data: in principle fifteen years, calculated from the time they were produced, or so much longer as reasonably ensues from the care of a good care provider or the care of a good responsible person. Kliniek Dokter Frodo  assumes the moment at which the document is produced on the basis of the patient’s last consultation, i.e. the last time the file was used for the treatment;
b. For data in the context of the BOPZ Act: in principle five years after the date of manufacture or termination of treatment or such longer as reasonably ensues from the care of a good care provider or the care of a good responsible person;
c. For data of a non-medical nature: no longer than necessary for the realization of the purposes for which they are collected or subsequently processed, unless anonymised, if and insofar as they are kept exclusively for historical, statistical or scientific purposes. Attached
d. Which appendix forms part of the privacy regulations, an overview is given of retention periods.
2. If the retention period of the healthcare data has expired or the data subject makes a request for deletion before the expiry of the applicable retention period, the relevant medical personal data will be deleted, within a period of three months.
3. However, deletion will not take place if it is reasonably likely that the retention is of significant importance to someone other than the data subject, and retention is required on the basis of a statutory regulation or if there is agreement about this between the data subject and the management.

Article 13. Complaints

Article 13. Complaints

If the person concerned is of the opinion that the provisions of these regulations are not being complied with or has other reason to complain, he can contact:
a. The management;
b. The complaints committee functioning within the institution in accordance with the regulations for independent complaints handling;
c. Request the Dutch DPA in accordance with the WBP to investigate whether the method of data processing by the Management is in accordance with the WBP; or make use of the appeal options laid down in Chapter 8 of the WPB.

Article 14. Amendments, entry into force and inspection of these regulations

Article 14. Amendments, entry into force and inspection of these regulations

1. Changes to these regulations are determined by management and made under the responsibility of management.
2. The changes to the regulations will take effect four weeks after they have been announced to those involved.
3. These regulations came into effect on 1 September 2016 and can be requested from the secretariat, and can also be viewed via the website.

Footnotes

2* The management ensures that appropriate technical and organizational measures are taken to protect against loss or any form of unlawful processing.

3* The management must ensure that the person concerned is sufficiently informed before consent can be given (so-called informed consent). This explicit consent does not have to be given in writing. Consent can also be evidenced by word or behaviour.

4* An example of an agreement is the medical treatment agreement and the rental agreement.

5* For example, the provision of data in the context of Article 22 of the Hospital Facilities Act.

6* The person responsible in the context of the BOPZ and/or WMO must also be involved in this.

7* This general notification can be made, for example, by issuing an information brochure or by including information about the regulations and the processing of personal data in the house rules.

8* Since the processing of the data is done by a healthcare institution, it can generally be assumed that the data subject knows or can know that the processing of data is taking place. Notification of the recording of data to the individual data subject can then be omitted. A general notification of the existence of the processing and these regulations will suffice.

This is different if purposes other than care provision form an independent objective of the processing, for example scientific research. In that case, it cannot simply be assumed that the person concerned is aware of this objective.

9* Failure to comply with the information obligation will lead to unlawful processing. See also Article 5(1).

10* The explicit consent: the data subject must have expressed his will to consent to the data processing concerning him in word, writing or conduct.

11* Processing of personal data regarding hereditary characteristics with regard to others than the person about whom the data was originally obtained is also not permitted with the explicit consent of the person concerned or any family member to whom the data also relate.

12* The categories of representatives mentioned here correspond to the categories mentioned in the WGBO and BOPZ.

13* Removal should also be understood to mean destruction.

Ervaringen

Ervaringen

Ervaringen