Processing agreement
GDPR regulations
The new Privacy legislation came into effect on May 25, 2018. This concerns the Privacy Directive (95/46/EC) and the Privacy and Electronic Communications Directive (2002/58/EC), the national laws implementing these directives and/or, where applicable, the Regulation (EU) 2016 /679 (the “General Data Protection Regulation”). This is summarized as the GDPR. This legislation will replace the Personal Data Protection Act. The GDPR expects a more proactive role from every organization that processes personal data.
The most relevant changes to take into account are:
– strengthening and expanding privacy rights;
– more responsibilities for organizations;
– the same, strong powers for all European privacy supervisors, such as the power to impose fines of up to 20 million euros.
As before, the Dutch Data Protection Authority (hereinafter AP) remains the authority under the Personal Data Protection Act that monitors whether organizations comply with the legislation. In preparation for the new regulations, the AP has drawn up a step-by-step plan:
The GDPR-10 step-by-step plan:
- Awareness
- Rights of data subjects
- Overview of processing operations
- Data protection impact assessment (DPIA)
- Privacy by design & privacy by default
- Data Protection Officer
- Data leak reporting obligation
- Processing agreements
- Leading supervisor
- Consent
Further elaboration of this step-by-step plan and compliance with it in practice should ensure that Osteopathie Laarman can comply with the new GDPR legislation as much as possible. The different steps will be discussed below. It will be examined to what extent these points apply within Osteopathie Laarman, what challenges Osteopathie Laarman faces and how Osteopathie Laarman can meet the 'new' obligations in a responsible manner.
The GDPR-10 step-by-step plan:
Awareness
Rights of data subjects
2.5 Osteopathie Laarman realizes that if it makes a written decision in the context of the exercise of the rights of the data subject, this will count as a decision within the meaning of the General Administrative Law Act.
2.6 In some cases, Osteopathie Laarman must inform the patient concerned on its own. This is the case if: - data is obtained without the data subject's consent - data will be used for a purpose other than that for which the data was originally provided. Osteopathie Laarman will inform the person concerned within 1 month in those cases.
2.7 If the patient's treatment ends, Osteopathie Laarman will keep the personal data in its system for some time. The Wgbo law stipulates that medical records must be kept for 15 years. Osteopathie Laarman will adhere to this retention period. The files will be destroyed after 15 years. The file also contains data of a non-medical nature.
2.8 In order to ensure that the data subject has a complete picture of how his personal data is handled and for what purpose and on what basis (legitimate interest), every person involved in registration will have access to this privacy statement and the associated information. associated documents. Osteopathie Laarman will place this information on the website and point out that location to everyone involved.
3. Overview of processing operations
4 DPIA (Data protection impact assessment)
4.2 In addition to the criteria from the GDPR itself, the working group of European privacy supervisors has drawn up a list of 9 criteria to further examine whether a DPIA is necessary. The criteria that could apply to osteopaths are: - sensitive data processing - large-scale data processing - data processing about vulnerable people
4.3 The privacy regulators do not view processing of special personal data by individual doctors as large-scale. Individual physicians therefore do not have to perform a DPIA. It is obvious that data processing by the individual osteopath does not require the execution of a DPIA. Osteopathie Laarman will therefore not perform a DPIA.
4.4 However, Osteopathie Laarman is aware that this concerns special personal data. The contents of a medical file are sensitive to the person concerned and require a high degree of confidentiality. Osteopathie Laarman will therefore endeavor to ensure that this data remains confidential.
4.5 The data as Osteopathie Laarman registers are only intended for internal use. The personal data are used to ensure that the osteopath can provide the patient with the best possible service. To be of service in resolving complaints and to be of service by making it possible for the health insurance to reimburse the costs as much as possible.
4.6 In due course, the Dutch Data Protection Authority (AP) will publish a list of processing operations for which a DPIA is mandatory. As soon as that list is available, Osteopathie Laarman will re-examine its processing of personal data to see whether further measures are necessary.
5 Privacy by design & privacy by default
5.2 Osteopathie Laarman pays attention to: – minimizing the processing of personal data; – only note the BSN number, but do not make a copy of the passport/ID card; – transparency regarding the functions and processing of personal data; – enabling the data subject to control information processing; and – create and improve security features.
6. Data Protection Officer
6.1 As with the DPIA, the individual practice of an osteopath is not regarded by the AP as a large-scale processor. Even though it concerns special personal data, setting up a FG is not necessary. Osteopathie Laarman once again points out that this concerns the processing of personal data at the request of the patient, as he or she wants the best possible treatment. Osteopathie Laarman does not process personal data for commercial purposes. Patients are not followed by Osteopathie Laarman based on personal data.
6.2 Osteopathy Laarman emphasizes once again that it is aware that it processes personal data that has a high degree of confidentiality. However, Osteopathie Laarman believes that it has taken all measures to ensure that patients' personal data are not used for purposes other than those intended.7. Data breach reporting obligation
7. Data leak reporting obligation
7.2 It is not relevant for the qualification as a 'personal data infringement' that there is malicious intent. In addition to 'hacking' personal data, this could also include data stored on a lost laptop or a closed website with personal data that is accidentally opened. A security breach means that a security incident has actually occurred. There is not only a threat or a security shortcoming (also referred to as a security breach) that could lead to a security incident. A security incident has actually occurred, where the preventive measures taken were not sufficient to prevent this.
7.3 Osteopathie Laarman will report any data breach to the AP, unless it is unlikely that the breach poses a risk to the rights and freedoms of natural persons. Osteopathie Laarman will notify the AP within 72 hours of discovery, even if not all information is yet available.
7.4 In addition, Osteopathie Laarman will immediately report the data breach to those involved if there is a high risk due to the breach of personal data. To determine whether there is a high risk, Osteopathie Laarman will first be allowed to conduct further research.
7.5 The data breach will be documented by Osteopathie Laarman in an overview of data breaches that have occurred within Osteopathie Laarman. Not only will the facts surrounding the infringement and its consequences be documented in this overview, but also the corrective measures taken.
Processing agreements
8.2 The following matters are in any case regulated within the processing agreement with Crossuite: • the subject and duration of the processing; • the nature and purpose of the processing; • the type of personal data and the categories of data subjects; • the rights and obligations of the controller. • the personal data will only be processed under written instructions from Osteopathie Laarman, including with regard to the transfer of personal data to a third country or an international organization (unless it is legally obliged to do so); • guarantee by the processor that access to that data is limited to authorized persons. These persons must be bound to confidentiality on the basis of an agreement or a legal obligation; • the processor applies at least the same level of security to the personal data as Osteopathie Laarman does; • the processor will provide Osteopathie Laarman with all possible support in fulfilling its obligations with a view to answering requests regarding the rights of data subjects; • processor Osteopathie Laarman will assist in fulfilling its obligations in the field of security of personal data and the obligation to report data leaks; • after termination of the agreement between Osteopathie Laarman and the processor, delete the personal data processed on your behalf or return it to Osteopathie Laarman, and delete existing copies; • Osteopathie Laarman makes available all information necessary to demonstrate that the obligations under the Regulation regarding the use of a processor are complied with and that is necessary to make audits possible; • the processor makes clear what agreements it makes with regard to sub-processors; • the processor states the approved codes of conduct and certification mechanisms that the processor uses in its activities; • the processor guarantees Osteopathie Laarman to meet all obligations as the GDPR requires of the processor.
8.3 Osteopathie Laarman does not use processors other than Crossuite. Osteopathie Laarman does use an accountant. This does not process patient data, but does have access to some personal data. The accountant will be able to view the data surrounding payments in particular. The accountant has therefore signed a confidentiality statement. This statement not only states that the accountant himself will maintain confidentiality regarding all personal data that he sees from patients of Osteopathie Laarman, the employees and third parties that the accountant uses also have the same obligation of confidentiality. In addition, the statement states that the accountant will not process personal data of patients.
Leading supervisor
9.1 Osteopathie Laarman must determine under which supervisory authority it falls. Osteopathie Laarman has 3 branches in Amsterdam and Zwolle. This is on Dutch soil. The activities of Osteopathie Laarman are based on Dutch territory. The leading supervisory authority for Osteopathy Laarman is therefore the Dutch Data Protection Authority.
Consent
10.1 The processing of certain data requires the consent of the data subject. This is the case if it concerns special categories of personal data and personal data of a criminal nature. The national identification number (BSN) is also a matter that requires explicit consent from the data subject if that number is processed. Osteopathie Laarman here processes the BSN number of its patients now that Osteopaths are obliged to use this number in correspondence with other healthcare providers. The processing of health data also concerns a special category of data for which the patient's consent is required for processing. However, it is strongly preferred to discuss the processing of all personal data with patients in advance and to explicitly state whether the patient has given permission for that processing.
10.2 Osteopathie Laarman will provide this required permission in the following manner. In addition to drawing up a treatment plan, an overview of the agreements will be provided during a patient's intake. These will be discussed with the patient and will then be given to the patient or sent to the patient by email, with the note that this is a confirmation of the agreements made. Acknowledgment of receipt will be requested from the patient. This 'order confirmation' will state the most important information about what the patient can expect from the osteopath. This concerns the following: - that the patient has been informed of the fact that personal data will be processed and which personal data it concerns; – that the patient has given explicit consent for that processing; – that the patient has rights with regard to the processing of personal data and that the patient can read this and the further working methods of Osteopathie Laarman with regard to those personal data in the present regulations as stated on the Osteopathie Laarman website; – that the patient is informed of the retention period(s) of the personal data; – that the patient has the option to file a complaint against Osteopathie Laarman with the NRO or NOF; – what the consultation rate is for Osteopathie Laarman;
Final word
11.1 Osteopathie Laarman assumes that this privacy policy meets all requirements of the new GDPR rules. Osteopathie Laarman is aware that there are new regulations and that this means that not all facets are yet easy to explain. Osteopathie Laarman will follow the adjustments, decisions and further news from the AP, so that timely measures can be taken to further tighten or trim these policy rules.