PRIVACY REGULATIONS
PRIVACY RULES
Privacy regulations of the dental practices whose shares are held by BF Orthodontics B.V., namely: Betti Ortho, Voornsehoek 37 Amstelveen (KvK 90542711) www.bettiortho.com, hereinafter referred to as: “Betti Ortho”.
Article 1. General.
Betti Ortho ensures that the (special) Personal Data of patients is handled with care. We comply with applicable laws and regulations, including the General Data Protection Regulation (GDPR). With these Privacy Regulations, we would like to inform you more about our policy.
Article 2. Definitions.
For the sake of clarity, we briefly indicate what we mean by specific terms:
- Personal data: all data by which the patient can be identified.
- Controller: the controller, as referred to in Article 4(7) of the Regulation. For these privacy regulations, the dental practice.
- Processing/Processing: an operation of personal data, whether or not carried out by automated processes, such as collection, recording, organization, storage, updating, modification, retrieval, consultation, use, provision by transmission, distribution or any other form of making available, bringing together, linking, as well as blocking, erasing or destroying Personal Data.
- Processor: the person responsible for Processing Personal Data on behalf of the dental practice, without being subject to his direct authority, such as assistants hired by the Controller.
- Data Subject: the person to whom the Personal Data relates, in general, the patient.
- Implementation Act: the Implementation Act of the General Data Protection Regulation.
- Regulation: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (OJEU 2016, L 119).
- Privacy regulations: this document.
- Pseudonymized data: Personal data that can no longer be linked to a specific data subject without additional data being used. This additional data is stored so that it cannot be linked to an identifiable person.
Article 3. How do we obtain the data?
Personal data originates or is derived from data provided orally and in writing by the Data Subject or his legal representative. Personal data may also be provided by the health insurer, the general practitioner, other practitioners, specialists, care providers, or persons or institutions other than the aforementioned.
Article 4. How and why do we process data?
1. Processing is carried out in a manner that is lawful, fair, and transparent with regard to the Data Subject. In addition, the collection of personal data is for sure expressly described and for legitimate purposes. Their Processing does not take place in a manner incompatible with those purposes.
2. Processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall not be considered incompatible with the original purposes.
3. The Processing is only lawful if and to the extent that at least one of the conditions below is met:
a. Consent of the Data Subject;
b. Entering into and carrying out a treatment (agreement);
c. Safeguarding a vital interest of the Data Subject, such as emergencies;
d. Promoting a legitimate interest of the Controller or a third party (for example business continuity);
e. Necessity to comply with a legal obligation or an agreement with the Data Subject.
4. Personal data will only be processed to the extent that they are adequate, relevant, and limited to what is necessary, considering the purposes for which they are Processed.
5. The dental practice processes Personal Data for the following purposes:
a. Treatment of the Data Subject;
b. Informing and contacting the Data Subject(s);
c. Financial administration;
d. Good functioning of the website.
Article 5. Conditions for consent.
1. The Controller can demonstrate that the Data Subject has consented to the Processing.
2. The Data Subject can always withdraw given consent.
Article 6. Other data.
Anonymized data does not fall under the scope of these Privacy Regulations.
Article 7. What data is involved?
Processing may relate to the following data categories:
a. Surname, first names, initials, title, gender, date of birth, address, postal code, place of residence, telephone number, and similar data required for communication, as well as payment data of the Data Subject;
b. An administration number that does not contain any information other than under a;
c. Data as referred to under a, of the parents, guardians or caretakers of minor Data Subjects;
d. Data as referred to under a of the family members or relatives of the Data Subject as well as others who are informed about the well-being and health of the Data Subject;
e. Information about the health status of the Data Subject and, in the event of hereditary disorders, his family members and relatives;
f. Other special Personal Data with a view to the proper treatment or care of the Data Subject;
g. Information about the treatment followed and to be followed by the Data Subject, as well as the medication or facilities provided;
h. Information about calculating, recording, and collecting the compensation;
i. Information about the insurance of the Data Subject;
j. Other information necessary for the treatment.
Article 8. Information obligation.
1. Before the Controller Processes Personal Data, he informs the Data Subject and/or his legal representative:
a. Who is responsible for the processing with contact details;
b. Why certain, concrete Personal Data will be processed;
c. If applicable, the contact details of the data protection officer;
d. How the Personal Data are Processed;
e. The period for which the Personal Data will be stored, or, if that is not possible, the criteria for determining that period;
f. All other information that must be provided for the purpose of due care. This also means: The more sensitive the Personal Data that the Controller wants to Process, the more thorough information must be provided.
2. If Personal Data is requested via a third party, or is supplied to a third party, the information obligation is fulfilled in the same way before the Personal Data is obtained or supplied, unless this can only be
done with a disproportionate effort.
Article 9. Right of access
1. The Data Subject has the right to view his Personal Data and can request the following information:
a. A description of the purpose or purposes of the Processing of Personal Data;
b. All available information regarding the origin of the Personal Data;
c. The categories of data to which the Processing relates;
d. An overview of recipients or categories of recipients who have received the Personal Data;
e. If possible, the period for which the Personal Data is expected to be stored, or if that is not possible, the criteria for determining that period;
f. That the Data Subject has the right to rectification, the right to erasure of data and the right to restriction of processing.
2. A request for access may be rejected on the basis of the following reasons:
a. The requester is not a Data Subject or his/her request does not relate to data that relate only to the requester;
b. The applicant has not yet reached the age of 16 and/or has been placed under guardianship.
In that case, only the legal representative can make the request;
c. The controller has already recently responded to a similar request from the same applicant;
d. Protection of the Data Subject or of the rights and freedoms of others;
e. For the security of the state and/or the prevention, detection, and prosecution of criminal offenses.
Article 10. Other rights
1. The Data Subject has the right to object at any time to the Processing of Personal Data concerning him. The Controller will stop the Processing in the event of an objection.
2. The Data Subject has the right to obtain from the Controller without delay the rectification of incorrect Personal Data concerning him or her.
3. The Data Subject has the right to obtain from the Controller the erasure of Personal Data concerning him or her without unreasonable delay.
In addition, the Controller is obliged to delete data without unreasonable delay when the Data Subject has withdrawn his consent or the Controller no longer needs the Personal Data for the purposes for which it was collected.
4. If the Data Subject disputes the accuracy of the Personal Data, the Data Subject has the right to obtain a restriction of the Processing from the Controller.
5. The Data Subject has the right to receive the Personal Data concerning him or her, which he or she has provided to the Controller, in a structured, commonly used and machine-readable form.
Article 11. The exercise of rights by the Data Subject
The Controller takes appropriate measures so that the Data Subject receives the communication or information regarding the rights as described in these Privacy Regulations in a concise, transparent and accessible manner and in clear words.
Article 12. Access to and recipients of Personal Data
1. In principle, only those who are directly involved in the implementation of the treatment of the Data Subject have access to Personal Data, to the extent that such access is necessary for their work.
2. When Processing is carried out on behalf of the Controller, the Controller only uses Processors who provide adequate guarantees that the Personal Data are Processed in accordance with the Regulation, the Implementation Act or regulations based thereon.
3. Furthermore, access can be granted to the following persons and bodies/Personal data provided:
a. Researchers as referred to in Article 7:458 of the Civil Code;
b. Health insurers to the extent necessary in view of the obligations under the insurance agreement;
c. Third parties charged with collecting claims insofar as access/provision is necessary and it does not concern medical data;
d. Others, when the basis for the Processed Data is:
(i) Consent of the Data Subject;
(ii) A need to comply with a legal obligation;
(iii) Safeguarding a vital interest of the Data Subject.
e. Others, when further Processing is carried out for historical, statistical or scientific purposes, if the Controller has taken the necessary measures to ensure that further Processing is carried out exclusively for these purposes.
Article 13. Register
The Controller keeps a register of the processing activities that take place under its responsibility. This register contains the following information:
a. The name and contact details of the Controller and, if applicable, of the data protection officer;
b. The processing purposes;
c. The categories of data to which the Processing relates;
d. The categories of recipients to whom Personal Data is provided;
e. If possible, the intended period within which the Personal Data should be deleted;
f. If possible, a description of the technical and organizational measures taken.
Article 14. Notification of Infringement.
1. If an infringement has occurred in connection with Personal Data, the Controller will – if and to the extent required by law – inform the Data Subject and the Dutch Data Protection Authority as soon as possible after becoming aware of it.
2. The notification referred to in the first paragraph shall contain at least:
a. The nature of the infringement;
b. The likely consequences of the infringement;
c. The measures taken by the Controller as a result of the infringement;
d. A point of contact for more information.
Article 15. Retention periods.
1. Medical data obtained to enter into or fulfill a treatment agreement will be retained for 20 years. The Controller is not obliged to longer retention periods than required by law, in particular Article 7:454 paragraph 3 of the Civil Code.
2. Other Personal Data will not be kept for longer than is necessary for the purposes for which they were Processed. When that Personal Data is no longer needed, it will be deleted.
Article 16. Confidentiality.
1. The Controller, the Processor and anyone who has access to Personal Data under the authority of the Controller are obliged to maintain the confidentiality of the Personal Data.
2. Data relating to the health of the Data Subject(s) are regarded as ‘special Personal Data’. When processing special Personal Data, everyone who Processes them has a duty of confidentiality. This arises from the office, profession or employment contract of the person.
Article 17. Security.
1. The Controller must ensure appropriate technical and organizational measures to protect Personal Data.
2. ‘Appropriate’ means that the security measures taken are appropriate to the risk that the Personal Data will be (further) Processed carelessly or unlawfully and the damage that would result from this. The measures taken must ensure that:
a. Only authorized persons have access to Personal Data;
b. The Personal Data is correct and will not be lost;
c. The Personal Data are available without hindrance for lawful Processing in accordance with the agreements within the organization.
3. In all cases, the Controller is responsible for the information security policy and promotes this policy within the dental practice.
Article 18. Website.
1. Cookies are used on the Betti Ortho website. Cookies are small text files that are sent to the browser by a website, after which the browser stores this data. When you next visit the website, the stored data will be sent back to the website by the browser. Cookies come in all shapes and sizes. Betti Ortho uses technical cookies, analytical cookies, and marketing cookies. Below, we explain what these cookies are used for.
Technical cookies
Technical cookies are necessary for the website to function properly. These cookies are necessary to ensure that you have an optimal user experience. No personal data is processed when using technical cookies.
Analytical cookies
Analytical cookies are used to collect information about how website visitors use and experience our website. This information allows us to optimize the website, monitor the operation, and improve the user experience. No personal data is processed when using analytical cookies.
Marketing cookies
Marketing cookies, also called tracking cookies, are used to track the surfing behavior of website visitors across the internet. If you have given permission, we will place tracking cookies to present personalized offers and discount promotions via various online channels.
You consent to this processing when you place a check mark in the cookie notification. You can change your preference at any time via the cookie settings on the website. Betti Ortho takes appropriate technical and organizational security measures to protect personal data against loss or any form of unlawful processing. These measures are aimed at achieving an appropriate level of protection, taking into account the risks associated with the processing and the nature of the data to be protected.
2. Retention period of data via the website
Betti Ortho does not store your data for longer than is necessary to achieve the purposes for which the data was collected, with a maximum period of 2 years.
3. Management and access to the personal data of third parties
Subject to statutory provisions to this effect in legislation and regulations, only those who are responsible for managing the client file and/or those who are associated with the processing of personal data have access to the personal data. personal data or that
are necessarily involved, including employees and processors of Betti Ortho.
Betti Ortho uses the following online tools:
- Youtube
- Google Analytics
- Mailchimp
- Vimeo
These online tools are used, among other things, to analyze the surfing behavior of website visitors, collect website statistics, and to send newsletters. The above parties, such as Facebook have their own privacy statement and bear their own
responsibility for it.
Article 19. Final Provisions.
1. The Controller does not accept more obligations than those to which he is obliged by law, unless otherwise agreed in writing with the Data Subject.
2. The Data Subject has the right to file a complaint with the supervisory authority.
3. Changes to these Privacy Regulations will be made by the Controller. The changes to the Privacy Regulations apply to the Data Subject(s) after the Data Subject(s) have been informed of the change.
4. These Privacy Regulations came into effect on June 16, 2023 and can be viewed at the dental practice.
For questions or to exercise the rights of the Data Subject, you can contact us at:
Address: Michelangelostraat 66, Amsterdam
Telephone: +31 6 1029 2815
E-mail: info@bettiortho.com