Privacy statement according to the GDPR – in detail
Healthcare provider: Burgdorffer Acupuncture. Data Protection Officer: Adheesh Burgdorffer /020-6226115 /email
In my practice I work with 2 categories of personal data of my patients:
- the patient file; this is only kept on paper
- the financial administration; this is digitally stored
1. The patient file
In the file I note: name, address, place of residence, telephone number and e-mail address, appointment date;
date of birth, medical data, relevant social data (e.g. relationship, children, living and working situation, hobbies/sports), if necessary: matters regarding sexuality, contact details of the general practitioner. A file can also contain written communication with other healthcare providers for which you have given permission and medical certificates that you have requested in connection with a personal injury lawsuit.
When treating minors under the age of 16, the name, address, telephone number and email address of both parents are also stored. In that case, written permission from both parents is also necessary, this will also be saved.
Creating a file is necessary for the execution of the treatment agreement and is required by the Medical Treatment Agreement Act, WGBO. The retention period of your file is 20 years after the last change or addition, in accordance with the WGBO Act.
The purpose of the data recording is to be able to perform an acupuncture treatment and any additional treatment with herbs and/or supplements.
The data in your file can also be used:
– to inform other healthcare providers (after your permission), for example when the treatment has been completed or when referred to another healthcare provider;
– for use (with your consent) by an observer during my absence;
– for anonymous use during peer consultation, teaching trainees or other teaching objectives;
– anonymised (after your permission) for scientific research
If I want to use your data for another reason, your permission will be requested.
2. The financial administration
This includes the agenda, any orders for herbs or supplements, invoices and payments. The financial administration does not contain any medical or similar sensitive data.
Appointments are made and saved in the online calendar system. In addition to the date and time of your appointments, it also contains the rates and your name, address, place of residence, email and telephone number. A GDPR processing agreement has been concluded with the service provider, which means that it is bound by confidentiality and adequate security. The hosting takes place on Dutch servers.
Orders of herbs and nutritional supplements are made via websites and email; my email is secured with SSL so that information cannot be intercepted. I have a GDPR processing agreement with the suppliers. In addition to the name of the ordered product, the supplier will only receive your name, address and place of residence, possibly your e-mail address or telephone number.
The treatment invoice contains the information required by the legislator and health insurance: your name, address, place of residence, your debtor number, the date of the treatment, a brief description of the treatment, a performance code, for example “24104 acupuncture”, and the costs of the consultation.
All invoices and payments are processed in the bookkeeping. In addition to the invoice data, your e-mail address and telephone number are also included in the bookkeeping.
Keeping a financial administration is required by law for every entrepreneur. The purpose of the data processing is the correct billing and of course the tax return. The legal retention period of this data is 7 years.
The data of the financial administration are stored in the cloud. This is done using so-called end-to-end encryption, in which the data is first encrypted before it leaves my computer and only decrypted again when it is downloaded again to a computer of mine. The provider can therefore not view the data itself and is known as one of the safest in the world. A GDPR processing agreement is available. The servers are located in a country that complies with EU data protection.
Your rights:
– I refer you to my privacy policy; this can always be found on my website
– During the intake I conclude a treatment agreement with you; on the basis of this agreement I may record and process your data; this treatment agreement will be included in your file.
– I do not record more data than is necessary for the described purpose.
– You have the right to withdraw a granted permission (notify me in writing or by email).
– You have the right to inspect and correct your own data.
– Insofar as this is legally possible, you have the right to removal and to take your own data with you (data portability) (notify me in writing or by email).
– You have the right to submit a complaint about how I handle your personal data with me, and with the Dutch Data Protection Authority, www.autoriteitpersoonsgegevens.nl.
The practice website
Email contact via the contact form on the practice website or via your own email program is secured with SSL. This means that the information is sent encrypted and cannot be intercepted en route. However, if your own PC/tablet/smartphone is hacked, it is possible that the content will become accessible to third parties.
The practice website is secured with SSL, among other things. A GDPR processing agreement is concluded with the hosting provider. The hosting takes place on German servers; the German privacy legislation is even stricter than the Dutch.
Google Analytics
My website uses Google Analytics to measure and analyze the surfing behavior of visitors. The data obtained with this is used to optimize and improve the website. An example: if measurement data shows that there are many dropouts on a certain page, then this page can be improved. Google may be required by law to provide information to third parties. I have no influence on this. Google claims to adhere to the Safe Harbor principles and is affiliated with the Safe Harbor program. This means that there is an appropriate level of protection for the processing of any personal data.
And last but not least
- I have a protocol for data breaches.
- My services are subject to healthcare legislation in the Netherlands and Dutch law in general, e.g. WGBO, Wkkgz and AVG.
- The information in this privacy statement can (and should) be adjusted; therefore always consult the most recent version on my practice website.
version jan 2022