Skip to content

Processing agreement

GDPR regulations

The new Privacy legislation came into effect on May 25, 2018. This concerns the Privacy Directive (95/46/EC) and the Privacy and Electronic Communications Directive (2002/58/EC), the national laws implementing these directives and/or, where applicable, the Regulation (EU) 2016 /679 (the “General Data Protection Regulation”). This is summarized as the GDPR. This legislation will replace the Personal Data Protection Act. The GDPR expects a more proactive role from every organization that processes personal data.

The most relevant changes to take into account are:
– strengthening and expanding privacy rights;
– more responsibilities for organizations;
– the same, strong powers for all European privacy supervisors, such as the power to impose fines of up to 20 million euros.

As before, the Dutch Data Protection Authority (hereinafter AP) remains the authority under the Personal Data Protection Act that monitors whether organizations comply with the legislation. In preparation for the new regulations, the AP has drawn up a step-by-step plan:

The GDPR-10 step-by-step plan:

  1. Awareness
  2. Rights of data subjects
  3. Overview of processing operations
  4. Data protection impact assessment (DPIA) 
  5. Privacy by design & privacy by default 
  6. Data Protection Officer 
  7. Data leak reporting obligation
  8. Processing agreements
  9. Leading supervisor
  10. Consent

Further elaboration of this step-by-step plan and compliance with it in practice should ensure that Osteopathie Laarman can comply with the new GDPR legislation as much as possible. The different steps will be discussed below. It will be examined to what extent these points apply within Osteopathie Laarman, what challenges Osteopathie Laarman faces and how Osteopathie Laarman can meet the 'new' obligations in a responsible manner.

The GDPR-10 step-by-step plan:

Awareness

1.1 Osteopathy Laarman is a practice within which Ilona Laarman offers osteopathy as a service. In order to achieve that goal, Osteopathie Laarman must process and use personal data of patients within its daily business operations. 
 
1.2 The data that is documented is privacy sensitive. This concerns personal data, on the basis of which the data subject can be identified both directly and indirectly. In order to ensure that this data is handled in a manner that is responsible and complies with the privacy legislation that will come into effect on May 25, 2018, Osteopathie Laarman has chosen to use the present protocol to map out the on the basis of the GDPR step-by-step plan (as listed above), how the GDPR should be implemented. 
 
1.3 This concerns registration of personal data with a legitimate interest. After all, the patients themselves register with Osteopathie Laarman. They would like to be helped by the osteopath for their complaints.
 

Rights of data subjects

2.1 To ensure fair processing of personal data, the Regulation gives various rights to the data subject. The data subject can exercise these rights against the controller. The data subject has: • the right to information about the processing operations; • the right to inspect his data; • the right to have the data corrected if it is incorrect; • the right to deletion of the data and 'the right to be forgotten'; • the right to limit data processing; • the right to object to data processing; • the right to transfer his data (data portability); • the right not to be subject to automated decision-making.
 
2.2 A patient or former patient (the data subject) can request the above information. The person concerned can do this by email to info@osteopathielaarman.nl. The person concerned must identify himself, so that Osteopathie Laarman can determine with sufficient certainty that the person making the request is actually the person concerned.
 
2.3 Osteopathie Laarman will inform the person concerned about the implementation of the request within 1 month of receipt of the request. For complex or multiple requests, this period can be extended by a maximum of 2 months. In such a case, the data subject will be informed of an extended period for execution of the request. The information is in principle provided in writing.
 
2.4 In some cases, Osteopathie Laarman may refuse to execute the request for data provision or charge costs for this. This must concern the situation in which the person concerned makes excessive or unfounded requests. (For example, multiple requests in succession for the same data. Or when one of the protective necessity criteria of the GDPR applies, such as in the context of a (criminal) investigation into the data subject). If Osteopathie Laarman refuses to comply with the request, Osteopathie Laarman will motivate this and inform the person concerned of the right to complain to the GDPR supervisory authority.

2.5 Osteopathie Laarman realizes that if it makes a written decision in the context of the exercise of the rights of the data subject, this will count as a decision within the meaning of the General Administrative Law Act.

2.6 In some cases, Osteopathie Laarman must inform the patient concerned on its own. This is the case if: - data is obtained without the data subject's consent - data will be used for a purpose other than that for which the data was originally provided. Osteopathie Laarman will inform the person concerned within 1 month in those cases.

2.7 If the patient's treatment ends, Osteopathie Laarman will keep the personal data in its system for some time. The Wgbo law stipulates that medical records must be kept for 15 years. Osteopathie Laarman will adhere to this retention period. The files will be destroyed after 15 years. The file also contains data of a non-medical nature.

2.8 In order to ensure that the data subject has a complete picture of how his personal data is handled and for what purpose and on what basis (legitimate interest), every person involved in registration will have access to this privacy statement and the associated information. associated documents. Osteopathie Laarman will place this information on the website and point out that location to everyone involved.

3. Overview of processing operations

3.1 Osteopathie Laarman processes personal data of patients. The following personal data of these members is processed. With regard to all these forms of processing of personal data, Osteopathie Laarman will keep a register of processing activities. It lists all types of personal data that will be processed. 3.2 In the event that the patient files a complaint against the osteopath, that data will also be processed by Osteopathie Laarman.
 

4 DPIA (Data protection impact assessment)

4.1 DPIA stands for Data Protection Impact Assessment. A DPIA is only mandatory when there is data processing that is likely to pose a high privacy risk. Within the GDPR, three situations are discussed when there is an increased risk: - systematically and extensively evaluate personal aspects - process special personal data on a large scale - monitor people on a large scale and systematically in a publicly accessible area 

4.2 In addition to the criteria from the GDPR itself, the working group of European privacy supervisors has drawn up a list of 9 criteria to further examine whether a DPIA is necessary. The criteria that could apply to osteopaths are: - sensitive data processing - large-scale data processing - data processing about vulnerable people 

4.3 The privacy regulators do not view processing of special personal data by individual doctors as large-scale. Individual physicians therefore do not have to perform a DPIA. It is obvious that data processing by the individual osteopath does not require the execution of a DPIA. Osteopathie Laarman will therefore not perform a DPIA.

4.4 However, Osteopathie Laarman is aware that this concerns special personal data. The contents of a medical file are sensitive to the person concerned and require a high degree of confidentiality. Osteopathie Laarman will therefore endeavor to ensure that this data remains confidential. 

4.5 The data as Osteopathie Laarman registers are only intended for internal use. The personal data are used to ensure that the osteopath can provide the patient with the best possible service. To be of service in resolving complaints and to be of service by making it possible for the health insurance to reimburse the costs as much as possible. 

4.6 In due course, the Dutch Data Protection Authority (AP) will publish a list of processing operations for which a DPIA is mandatory. As soon as that list is available, Osteopathie Laarman will re-examine its processing of personal data to see whether further measures are necessary.

5 Privacy by design & privacy by default

5.1 Privacy by Design and Manufacturer Defaults. Osteopathie Laarman produces a service, which is supported by the processing of personal data. Osteopathie Laarman therefore takes the right to the protection of personal data into account when developing and elaborating this service. Taking into account the state of the art, Osteopathie Laarman ensures that controllers and processors are able to meet their data protection obligations. 

5.2 Osteopathie Laarman pays attention to: – minimizing the processing of personal data; – only note the BSN number, but do not make a copy of the passport/ID card; – transparency regarding the functions and processing of personal data; – enabling the data subject to control information processing; and – create and improve security features.

6. Data Protection Officer

6.1 As with the DPIA, the individual practice of an osteopath is not regarded by the AP as a large-scale processor. Even though it concerns special personal data, setting up a FG is not necessary. Osteopathie Laarman once again points out that this concerns the processing of personal data at the request of the patient, as he or she wants the best possible treatment. Osteopathie Laarman does not process personal data for commercial purposes. Patients are not followed by Osteopathie Laarman based on personal data.

 

6.2 Osteopathy Laarman emphasizes once again that it is aware that it processes personal data that has a high degree of confidentiality. However, Osteopathie Laarman believes that it has taken all measures to ensure that patients' personal data are not used for purposes other than those intended.7. Data breach reporting obligation

7. Data leak reporting obligation

7.1 A data breach within the meaning of the GDPR is a breach of personal data. It is a breach of security leading to the destruction, loss, alteration, unauthorized disclosure or access of personal data transmitted, stored or otherwise processed. 

7.2 It is not relevant for the qualification as a 'personal data infringement' that there is malicious intent. In addition to 'hacking' personal data, this could also include data stored on a lost laptop or a closed website with personal data that is accidentally opened. A security breach means that a security incident has actually occurred. There is not only a threat or a security shortcoming (also referred to as a security breach) that could lead to a security incident. A security incident has actually occurred, where the preventive measures taken were not sufficient to prevent this. 

7.3 Osteopathie Laarman will report any data breach to the AP, unless it is unlikely that the breach poses a risk to the rights and freedoms of natural persons. Osteopathie Laarman will notify the AP within 72 hours of discovery, even if not all information is yet available. 

7.4 In addition, Osteopathie Laarman will immediately report the data breach to those involved if there is a high risk due to the breach of personal data. To determine whether there is a high risk, Osteopathie Laarman will first be allowed to conduct further research. 

7.5 The data breach will be documented by Osteopathie Laarman in an overview of data breaches that have occurred within Osteopathie Laarman. Not only will the facts surrounding the infringement and its consequences be documented in this overview, but also the corrective measures taken.

 

Processing agreements

8.1 Osteopathie Laarman uses the company Crossuite to process personal data in a patient management platform. This company should therefore be seen as a processor. In order to ensure that Crossuite company complies with the requirements necessary to comply with the GDPR, Osteopathie Laarman has entered into a processing agreement with Crossuite company. 

8.2 The following matters are in any case regulated within the processing agreement with Crossuite: • the subject and duration of the processing; • the nature and purpose of the processing; • the type of personal data and the categories of data subjects; • the rights and obligations of the controller. • the personal data will only be processed under written instructions from Osteopathie Laarman, including with regard to the transfer of personal data to a third country or an international organization (unless it is legally obliged to do so); • guarantee by the processor that access to that data is limited to authorized persons. These persons must be bound to confidentiality on the basis of an agreement or a legal obligation; • the processor applies at least the same level of security to the personal data as Osteopathie Laarman does; • the processor will provide Osteopathie Laarman with all possible support in fulfilling its obligations with a view to answering requests regarding the rights of data subjects; • processor Osteopathie Laarman will assist in fulfilling its obligations in the field of security of personal data and the obligation to report data leaks; • after termination of the agreement between Osteopathie Laarman and the processor, delete the personal data processed on your behalf or return it to Osteopathie Laarman, and delete existing copies; • Osteopathie Laarman makes available all information necessary to demonstrate that the obligations under the Regulation regarding the use of a processor are complied with and that is necessary to make audits possible; • the processor makes clear what agreements it makes with regard to sub-processors; • the processor states the approved codes of conduct and certification mechanisms that the processor uses in its activities; • the processor guarantees Osteopathie Laarman to meet all obligations as the GDPR requires of the processor. 

8.3 Osteopathie Laarman does not use processors other than Crossuite. Osteopathie Laarman does use an accountant. This does not process patient data, but does have access to some personal data. The accountant will be able to view the data surrounding payments in particular. The accountant has therefore signed a confidentiality statement. This statement not only states that the accountant himself will maintain confidentiality regarding all personal data that he sees from patients of Osteopathie Laarman, the employees and third parties that the accountant uses also have the same obligation of confidentiality. In addition, the statement states that the accountant will not process personal data of patients.

Leading supervisor

9.1 Osteopathie Laarman must determine under which supervisory authority it falls. Osteopathie Laarman has 3 branches in Amsterdam and Zwolle. This is on Dutch soil. The activities of Osteopathie Laarman are based on Dutch territory. The leading supervisory authority for Osteopathy Laarman is therefore the Dutch Data Protection Authority.

 

Consent

10.1 The processing of certain data requires the consent of the data subject. This is the case if it concerns special categories of personal data and personal data of a criminal nature. The national identification number (BSN) is also a matter that requires explicit consent from the data subject if that number is processed. Osteopathie Laarman here processes the BSN number of its patients now that Osteopaths are obliged to use this number in correspondence with other healthcare providers. The processing of health data also concerns a special category of data for which the patient's consent is required for processing. However, it is strongly preferred to discuss the processing of all personal data with patients in advance and to explicitly state whether the patient has given permission for that processing. 

10.2 Osteopathie Laarman will provide this required permission in the following manner. In addition to drawing up a treatment plan, an overview of the agreements will be provided during a patient's intake. These will be discussed with the patient and will then be given to the patient or sent to the patient by email, with the note that this is a confirmation of the agreements made. Acknowledgment of receipt will be requested from the patient. This 'order confirmation' will state the most important information about what the patient can expect from the osteopath. This concerns the following: - that the patient has been informed of the fact that personal data will be processed and which personal data it concerns; – that the patient has given explicit consent for that processing; – that the patient has rights with regard to the processing of personal data and that the patient can read this and the further working methods of Osteopathie Laarman with regard to those personal data in the present regulations as stated on the Osteopathie Laarman website; – that the patient is informed of the retention period(s) of the personal data; – that the patient has the option to file a complaint against Osteopathie Laarman with the NRO or NOF; – what the consultation rate is for Osteopathie Laarman;

Final word

11.1 Osteopathie Laarman assumes that this privacy policy meets all requirements of the new GDPR rules. Osteopathie Laarman is aware that there are new regulations and that this means that not all facets are yet easy to explain. Osteopathie Laarman will follow the adjustments, decisions and further news from the AP, so that timely measures can be taken to further tighten or trim these policy rules.