1. Definitions

In this regulations are understood to mean::

  • the healthcare institution Titurel located in Putte;
  • the law: the Personal Data Protection Act and from May 2018 the General Regulation Data protection (AVG);
  • personal data: any information about an identified or identifiable natural person;
  • processing of personal data: any act or set of acts with regarding personal data. In any case, that is what it means collect, to establish, the order, save, to update, change, request, consult, to use, provided by forwarding, dissemination or any other form of provision, bring together, into each other relate, as well as shielding, exchange or destroy facts;
  • existed: each coherent set of personal data, regardless of whether this is a set of data collected together or separately, that according to certain criteria is accessible and relates to different people;
  • responsible: the person who alone or together with others determines the purpose and means for the processing of personal data. Responsible person may be one natural person, a legal entity or an administrative body;
  • processor: the person who processes personal data on behalf of the controller, without being subject to his direct authority;
  • person involved: the person to whom a personal data relates;
  • third: every other than the data subject, the person responsible, the processor or any person who is authorized under the direct authority of the controller or processor to process personal data;
  • recipient: the person to whom the personal data is provided;
  • permission of the data subject: every free one, specific and information-based expression of will by which the data subject accepts that personal data will be collected about him incorporated;
  • provide of personal data: the publication or making available of personal data;
  • collect of personal data: obtaining personal data.
  • Reach
  • These regulations applies to the fully or partially automated processing of personal data. It also applies to non-automated ones processing of personal data included in a file or that are intended to be included therein.
  • These regulations applies within Titurel and relates to the processing of personal data mainly clients, but can also apply to employees, volunteers and interns.
  • Target
  • The purpose of the collection and processing of personal data is available data that are necessary for the realization of legal purposes as well as the purposes as described in the service description Title and the conduct of policy and management in the context of these purposes.
  • The purposes for which data is stored within Titurel collected and processed, are explicitly described in the service description which is attached as an appendix.
  • Representation person involved
  • If the the person concerned is a minor and has not yet reached the age of sixteen reached or if the person concerned has reached the age of majority and has been placed under guardianship, or a mentorship has been established for the benefit of the person concerned, is in the instead of the consent of the data subject the consent of his legal representative required. The consent is recorded in writing. If the person concerned has issued written authorization in this regard representation towards processor, then permission is also given by the written representative required.
  • A consent can be given by the data subject, his or her written representative legal representative can be withdrawn at any time.
  • Responsibility for management and liability
  • The Data Protection Officer (FG) is responsible for the property functioning of the processing and management of the data.
  • The The person responsible ensures that appropriate technical and organizational measures are implemented to protect against any loss or any form of unlawful processing of data.
  • The in paragraph 1 responsibility referred to in paragraph 2 certain applies undiminished if the processing takes place by a processor; this is arranged in one agreement (or by means of another legal act) between editor and responsible.
  • The responsible party is liable for any damage or disadvantage that may occur caused by failure to comply with the requirements of the law or this regulations. The processor is liable for that damage or disadvantage, for insofar as it/that was created by his actions.
  • Lawful processing
  • Personal data are done in a transparent manner and in accordance with the law and this regulations are processed properly and carefully.
  • Personal data are only collected for the purposes referred to in these regulations not further processed in a manner incompatible with the purposes for which they were obtained.
  • Personal data serve – considering the purposes for which they are collected or subsequently are processed – sufficient and relevant; there are no more serving personal data are collected or processed other than for the purpose of registration is required.
  • Personal data may only be processed if:
  • the person concerned has given his unambiguous consent for the processing;
  • the data processing is necessary for the execution of an agreement to which the person concerned is a party (for example, the employment contract with person involved) or for actions, at the request of the person concerned, that necessary for concluding an agreement;
  • the data processing is necessary to fulfill a legal obligation responsible to comply;
  • the data processing is necessary in connection with a vital interest of person involved;
  • the data processing is necessary in view of an interest of the person responsible or from a third party, unless that interest conflicts with it interests of the person whose data is being processed and that interest takes precedence.
  • The registration of the citizen service number only takes place when there is a legal basis for this and/or that the person responsible or processor provides a form of care to the data subject.
  • Anyone who acts under the authority of the controller or processor - and also the editor himself – only processes personal data on behalf of the responsible, except in the case of deviating legal obligations.
  • The data becomes only processed by persons exercising their duties, profession, legal prescription, or are obliged to maintain confidentiality on the basis of a confidentiality agreement.
  • With external data subjects having access to personal data is a processing agreement drawn up. These agreements are kept on a protected domain on the server. This are adjusted in case of changes.
  • Processing of personal data
  • The processing takes place through help- or social service providers insofar as this is for the purpose of proper treatment or care of the person involved, or management of the relevant institution or professional practice (municipalities/care office) is necessary.
  • The processing takes place with the explicit consent of the person concerned.
  • The processing takes place at the request of an insurer to the extent necessary for the assessment of the risk to be insured by the insurer, or before to the extent necessary for the execution of an insurance contract.
  • Without The client's consent may be for statistical or scientific purposes public health research to another data on the patient are provided if:
  • asking consent is not reasonably possible and with regard to the such safeguards are provided for the execution of the research, that the the client's privacy is not disproportionately damaged, or it asking for permission, given the nature and purpose of the research, in reasonableness cannot be expected and the care provider has taken care that the data is provided in such a form that it can be traced back to individual persons is reasonably prevented. Provision is only possible if:
  • the research serves the public interest;
  • the research cannot be carried out without the corresponding data and
  • as far as the the client concerned does not expressly object to a provision made.
  • The ban on special data as referred to in article 8 is not possible to process application to the extent necessary in addition to the processing of personal data about someone's health for the purpose of proper treatment or care of the person concerned.
  • Special personal data
  • The processing of personal data about a person's religion or belief, ras, political disposition, health, sexual life, membership of one trade association or criminal personal data is prohibited, except in the cases in which the law expressly determines by whom, for what purpose and under what conditions such data may be processed (articles 17 tot en met 22 of the law).
  • It in the prohibition referred to in the previous paragraph applies, without prejudice to the provisions of the articles 17 tot en met 22 of the law, not insofar as there is an exception as referred to in article 23 of the law.
  • Data acquisition
  • If at the the data subject himself/herself obtains the personal data, shares the responsible informs the person concerned before the moment of acquisition:
  • his identity;
  • the purpose of the processing for which the data is intended, unless the data subject has that purpose already knows.
  • The The person responsible will provide the data subject with further information to the extent that this is the case – given the nature of the data, the circumstances under which they are obtained or the use made of it – is necessary to face the to ensure proper and careful processing of the data subject.
  • Bee acquisition of data without the data subject's knowledge, the controller shares the person involved:
  • his identity;
  • the nature of the data and the purpose of the processing for which the data is intended. The time when that should happen is:
  • the moment that the controller records the data or
  • as the controller collects the data solely for the purpose of passing it on to a third party provide: at the latest at the time of first provision to that third party.
  • The responsible person will provide further information to the extent that this is the case – considering the nature of the data, the circumstances under which they are obtained or it use made of it – is necessary to make a complaint to the data subject to ensure proper and careful processing.
  • The bottom 3 certain provisions do not apply if the notification referred to therein is impossible appears to require a disproportionate effort. In that case the responsible determines the origin of the data.
  • The bottom 3 certain provisions also do not apply if the recording or provision is made at or prescribed by law. In that case, the person responsible must to inform the data subject at his request about the legal requirement that to record or provide data concerning him.
  1. Right of access
  2. The person concerned has the right to take note of the processed data relating to his person relate and may receive a copy thereof.
  3. The responsible person will share with anyone at their request – as soon as possible no later than four weeks after receipt of the request – in writing or personal data relating to him are processed.
  4. If so is the case, the responsible person will provide it to the applicant if desired – Like this as soon as possible, but no later than four weeks after receipt of the request – a complete overview in writing with information about the purpose or the purposes of the data processing, the data or categories of data to which the processing relates, the recipients or categories of recipients of the data as well as the origin of the data.
  5. If one important interests of the applicant require this, the person responsible complies the request in a form other than the written form that is relevant to that interest amended.
  6. The person responsible may refuse to comply with a request if and to the extent necessary is related to:
  7. the investigation and prosecution of criminal offences;
  8. the protection of the data subject or the rights and freedoms of others.

11. Provision of personal data

1.    Provision of personal data to a third party is in principle no different than after consent of the person concerned or his representative, except for one to that effect applicable legal regulation or a state of emergency.

2.    If responsible without the consent of the person concerned or his/her legal representative personal data provided to third parties, holds the person concerned responsible or inform his legal representative thereof without delay, unless this poses a risk to persons and/or property.

12. Right to correction, supplement, removal

1.    On written request from a data subject, the controller will proceed improvement, supplement, removal and/or shielding (the right to be forgotten) by the personal data processed about the applicant, if and to the extent that this data is factually incorrect, incomplete for the purpose of the processing, not are relevant or include more than the purpose of the registration is necessary, or otherwise conflict with a legal requirement incorporated. The request from the person concerned contains the changes to be made.

2.    The responsible will inform the applicant as soon as possible, but externally within four weeks after receipt of the request, in writing whether he does so meets. If he does not want to comply with this or does not want to do so completely, he justifies that. In this context, the applicant has the option to contact the complaints committee of the person responsible.

3.    The The responsible person ensures that a decision for improvement is made, supplement, removal and/or shielding indoors 14 working days, and when this it turns out not to be reasonably possible, otherwise as soon as possible afterwards, is becoming carried out.

13. Retention of data

1.    Personal data are no longer kept in a form that allows the data subject to be contacted identify, than is necessary for the realization of the objectives for which they are collected or subsequently edited.

2.    The The controller determines how long the recorded personal data will be retained to stay.

3.    The retention period for medical- and/or healthcare data is in principle fifteen years, counted from the time they were manufactured, or as much longer as reasonably from the care of a good care provider or responsible person results.

4.    Facts of a non-medical nature are not kept longer than is necessary for the purpose realization of the purposes for which they are collected or subsequently collected incorporated, unless they are exclusively for historical use, statistical or scientific purposes are preserved. If the relevant data have been processed in such a way that it is impossible to trace them back to individual persons, they can be kept in an anonymized form.

5.    If the retention period of the personal data has expired or the data subject has a requests deletion before the expiry of the retention period, become the relevant medical data within a period of three months deleted.

6.    Removal However, this is omitted when it can reasonably be assumed that

  • keeping it is of great importance to someone other than the data subject;
  • keeping it is required by law or
  • if there is agreement between the data subject and the controller.

14. Notification of data processing

1.    A fully or partially automated processing of personal data that is intended for the realization of a goal or related goals, is becoming registered with the Dutch Data Protection Authority, before with the processing starts.

2.    The not automated processing of personal data for the realization of a purpose or related goals is intended, will be notified if this is the case subject to prior investigation. Preliminary research takes place if the person responsible:

  • is planning to process a personal identification number for a purpose other than that for which it is intended it is intended and therefore to be able to relate data to data processed by another controller;
  • is planning record data based on your own observations, without the inform the responsible person thereof;
  • is planning criminal data or data about unlawful or annoying behavior process for the benefit of third parties.
  • In the message are indicated:
  • the name and the address of the person responsible;
  • the goal or the purposes of the processing;
  • a description of the categories of data subjects and of the (categories of) data that relate to that;
  • the recipients or categories of recipients to whom the data may be disclosed.

15. Klachtenregeling

If the data subject is from it is the opinion that the provisions of these regulations are not being complied with, he can to address:

  • the person responsible;
  • the complaints officer of Zorgbelang, An body functioning outside the company, where the company is located has connected;
  • the court, in the cases referred to in article 46 of the law and
  • the College Personal Data Protection with the request to mediate and advise the dispute between the data subject and the controller.

16. Changes entering into force and copy

1.    Changes are added to these regulations by the person responsible.

2.    The changes to the regulations are effective for four weeks, after they are known made to those involved.

3.    This regulations come into effect on May 1 2018.

4.    This regulations can be viewed from the person responsible. If desired, this is possible cost price a copy of these regulations can be obtained.

17. Unforeseen
In cases where these regulations does not provide, the person responsible decides, taking into account the provisions in the law and the purpose and scope of these regulations.

Addendum

Information about the Protection Act personal data:

the website about the Use Act citizen service number in healthcare: http://www.rijksoverheid.nl/onderwerpen/personal data/ citizen service number-bsn/bsn-in-de-zorg