Name dental practice: Tandartspraktijk Transparant
Practice address: Ben van Meerendonkstraat 53, 1087 LB Amsterdam
Email address: email@example.com
Telephone number: +31(0)20 495 5669
Article 1. General
Article 2. Definitions
For clarity’s sake, we briefly state what we mean by certain terms:
1. Personal data: all data through which the patient can be identified.
3. Processing / Processing: an processing of personal data, whether or not
carried out through automated processes such as collection, recording,
organize, store, update, change, retrieve, consult, use, provide
by means of forwarding, distribution or any other form of
making available, bringing together, linking together, and the
protect, erase or destroy Personal Data.
4. Processor: the person who is on behalf of the dental practice for the Processing
of Personal Data, without being under his direct authority
such as assistants hired by the Controller.
5. Data Subject: the person to whom the Personal Data relates in the
generally the patient.
6. Implementation Act: the Implementation Act General Data Protection Regulation.
7. Regulation: Regulation (EU) 2016/679 of the European Parliament and of the Council
of 27 April 2016 on the protection of individuals with regard to
with processing of personal data and concerning the free movement of those
data and repealing Directive 95/46 / EC (PbEU 2016, L 119).
9. Pseudonomized data: Personal data that is no longer attached to one
specific person can be linked without additional
data is used. This additional information is stored in such a way
that they cannot be linked to a person to be identified.
Article 3. How do we get the data?
Personal data is derived or derived from data obtained orally and in writing
are provided by the Data Subject or his legal representative.
Personal data can also be provided by the health insurer, the
general practitioner, other practitioners, specialists, care providers or other than the aforementioned
persons or authorities.
Article 4. How and why do we process data?
1. Processing takes place in a manner that is lawful,
is decent and transparent. In addition, the collection of
Personal data for specific, explicitly described and justified
purposes. The processing thereof does not take place for those purposes
2. Processing with a view to archiving in the public interest, scientifically
or historical research or statistical purposes is not considered incompatible with
considered the original purposes.
3. The Processing is only lawful if and insofar as at least one of the
the following conditions are met:
a. Consent of the Data Subject;
b. Entering into and carrying out a treatment (agreement);
c. Safeguarding a vital interest of the Data Subject, such as emergencies;
d. Representing a justified interest of the Controller or of
a third party (for example, business continuity);
e. Need for a legal obligation or an agreement with the Data Subject
4. Personal data is only processed insofar as it is in accordance with the purposes
for which they are Processed are adequate, relevant and limited to what
5. The dental practice processes Personal Data for the following purposes:
a. Treatment of the Data Subject;
b. Informing and contacting the Data Subject (s);
c. Financial administration;
d. Proper functioning of the website.
Article 5. Conditions for permission
1. The Controller can prove that the Data Subject has given permission
for the Processing.
2. The Data Subject can always withdraw a given permission.
Article 6. Other information
Article 7. What information does this concern?
Processing can refer to the following data categories:
a. Name, first names, initials, title, gender, date of birth, address, zip code,
place of residence, telephone number and similar required for communication
data as well as payment data of the Data Subject;
b. An administration number that contains no other information than under a;
c. Data as referred to under a, from the parents, guardians or guardians of
minor Persons involved;
d. Data as referred to under a of the family or relatives of the Data Subject
as well as others who become concerned about the well-being and health of the Data Subject
e. Information about the health status of the Data Subject and in the case of hereditary
disorders of his family and relatives;
f. Other special Personal Data for the purpose of proper treatment or
care of the Data Subject;
g. Information about the followed and to be followed treatment of the Data Subject as well
the medication or facilities provided;
h. Information about calculating, recording and collecting the reimbursement;
i. Information about the insurance of the Data Subject;
j. Other information necessary for the treatment.
Article 8. Information obligation
1. Before the Responsible Personal Data is Processed, he will share the Data Subject
and / or his legal representative:
a. Who is responsible for processing with contact details;
b. Why certain, specific Personal Data will be processed;
c. If applicable, the contact details of the data protection officer;
d. How the Personal Data is Processed;
e. The period during which the Personal Data will be stored,
or, if that is not possible, the criteria for determining that period;
f. All other information that must be provided for the sake of care
provided. That also means: The more sensitive the Personal Data that the
The person responsible wants to Process, the more thoroughly the information must be.
2. If Personal Data is requested via a third party, or is transferred to a third party
delivered, the obligation to provide information is met in the same way before the
Personal data is obtained or supplied, unless this is only done with a
disproportionate effort can be made.
Article 9. Right to inspection
1. The Data Subject has the right to view his Personal Data and may
request the following data:
a. A description of the purpose or purposes of the Processing of
b. All available data regarding the origin of the Personal Data;
c. The categories of data to which the Processing relates;
d. An overview of recipients or categories of recipients that the
Have received personal data;
e. If possible, the period during which the Personal Data is sent to
expected to be saved, or if that is not possible, the criteria
to determine that period;
f. That the Data Subject has the right to rectification, the right to data deletion and the
has the right to limit the processing.
2. A request for access may be rejected for the following reasons:
a. The applicant is not a Data Subject or his / her request does not relate to
data that only concern the applicant;
b. The applicant has not yet reached the age of 16 and / or is under guardianship
is stated. In that case, only the legal representative can submit the request
c. The responsible party has recently submitted a similar request from
the same applicant;
d. Protection of the Data Subject or of the rights and freedoms of others;
e. Because of state security, and / or prevention, detection and
prosecution of criminal offenses.
Article 10. Other rights
1. The Data Subject has the right to object to the Processing at any time
of Personal Data concerning him. The Processing will be terminated upon objection
by the Controller.
2. The Data Subject has the right to rectify from the Responsible Person without delay
obtain information concerning incorrect Personal Data.
3. The Data Subject has the right of the Controller without being unreasonable
to obtain a delay in the change of Personal Data.
In addition, the Controller is obliged without unreasonable delay in data
to delete when the Data Subject has withdrawn his consent or the
The person in charge no longer needs the Personal Data for the purposes
for which they were collected.
4. The Data Subject has the accuracy of the Personal Data
disputes the Controller’s right to limit Processing
5. The Data Subject has the right to the Personal Data concerning him, which he submits to
Responsible person has provided, in a structured, current and
Article 11. The exercise of rights by the Data Subject
The Controller takes appropriate measures to ensure that the Data Subject communicates
transparent and accessible manner and in clear terms.
Article 12. Access to and recipients of Personal Data
1. Access to Personal Data is in principle only available to those directly
are involved in the implementation of the Data Subject’s treatment, insofar as that
access is necessary for their work.
2. If a Processing is carried out on behalf of the Controller, the
Responsible person solely appeals to Processors who provide adequate guarantees
issue that the Personal Data is Processed in accordance with the Regulation, the
Implementing Act or regulations based on it.
3. For the rest, the following persons and authorities may gain access
granted / Personal information is provided:
a. Researchers as referred to in Section 7: 458 of the Dutch Civil Code;
b. Insurers insofar as necessary with a view to the obligations arising from the
c. Third parties charged with the collection of receivables insofar as
access / provision is necessary and it does not concern medical data;
d. Others, when the basis of the Processed Data is:
(i) Consent of the Data Subject;
(ii) A need to fulfill a legal obligation;
(iii) Safeguarding a vital interest of the Data Subject.
e. Others, when further Processing for historical, statistical or
for scientific purposes, if the Controller has taken the necessary measures to ensure that further Processing is exclusively carried out
for these purposes.
Article 13. Register
The Controller maintains a register of the processing activities under her
responsibility. This register contains the following information:
a. The name and contact details of the Controller and, if applicable,
of the data protection officer;
b. The processing purposes;
c. The categories of data to which the Processing relates;
d. The categories of recipients to whom Personal Data are provided;
e. If possible, the intended period within which the Personal Data must be
f. If possible, a description of the affected technical and organizational
Article 14. Reporting infringement
1. If an infringement with regard to Personal Data has taken place, the
Responsible for this – if and to the extent required by law – as soon as possible
after it has been informed of this to the Data Subject and the Authority
2. The notification referred to in the first paragraph must contain at least:
a. The nature of the infringement;
b. The likely consequences of the infringement;
c. The measures taken by the Controller as a result of the infringement
d. A contact point for more information.
Article 15. Retention periods
1. Medical data obtained to enter into a treatment agreement
to go or fulfill are kept for 15 years. The Controller is not required
up to longer retention periods than by law, in particular article 7: 454 paragraph 3 of the
Civil Code, mandatory.
2. Other Personal Data will not be kept longer than necessary for the
purposes for which they were processed. If that Personal Data is no longer
Article 16. Confidentiality
1. The Controller, the Processor and anyone under the authority of the
Responsible persons have access to Personal Data, are required to
confidentiality of the Personal Data.
2. Data related to the health of Data Subject (s) will be as
“Special Personal Data”. For Processing special
Personal data applies that everyone who processes them has a confidentiality obligation
has. This results from the office, the profession or from the employment contract of
Article 17. Security
1. The Controller must ensure appropriate technical and organizational
measures to protect Personal Data.
2. “Suitable” means that the security measures that are taken fit in with
the risk that the Personal Data will become careless or unlawful (further)
Processed and the damage that would result. The measures taken
must ensure that:
a. Only authorized persons have access to Personal Data;
b. The Personal Data are correct and will not be lost;
c. The Personal Data are available without lawful impediment to legitimate
Processing according to the agreements within the organization.
3. In all cases, the Controller will take care of it
information security policy and promotes this policy within the dental practice.
Article 18. Final provisions
1. The Controller accepts no more obligations than what he enters
is required by law, unless otherwise agreed in writing with the
2. The Data Subject has the right to submit a complaint to the supervisory body
The changes to the Privacy Regulations are effective compared to
Data subject (s) after Data subject (s) have been informed of the change.
to see dental practice.
For questions or to exercise the rights of the Data Subject you can contact
the practice on 020-4955669 or firstname.lastname@example.org