privacy policy

Privacy Policy

Privacy Regulations of the dental practices whose shares are held by Holding Lassus Tandartsen BV, namely: Lassus Tandartsen B.V., Lassusstraat 9 (KvK 61752614) www.lassus.nl, Lassus Tandartsen Keizersgracht B.V., Keizersgracht 132A/B (KvK 61754501) www.lassus.nl, Lassus Tandartsen Olympisch Stadion B.V., Stadionplein 125 (KvK 68292112) www.lassus.nl, Apollo Orthodontie B.V., Apollolaan 174 (KvK 74766694), www.apollo-ortho.nl, Oisterwijk Tandheelkunde B.V., Moergestelseweg 32L (KvK 72078618), www.lassus.nl, Lassus Tandartsen Lelystad B.V., Middendreef 273 (KvK 73981230) www.lassus.nl, Tandartspraktijk de Liefde B.V., Rietwijkerstraat 52 (KvK 61753858) www.tandartspraktijkdeliefde.nl, Tandartspraktijk Plantage Middenlaan B.V., Plantage Middenlaan 1-H (KvK 62791400) www.tandartsplantagemiddenlaan.nl, Tandartspraktijk Jan van Galen B.V., Jan van Galenstraat 171 (KvK 64763692) www.tandartspraktijkjanvangalen.nl, Tandartspraktijk Johan Huizingalaan B.V., Johan Huizingalaan 122 (KvK 82893187) www.tandartshuizingalaan.nl, TTH van Wou B.V., (KvK 53686632) www.tthvanwou.nl and Dentista Amsterdam B.V., Ceintuurbaan 308-310 (KvK 82137234) www.dentista.nl, hereinafter referred to as “Lassus”.

ARTICLE 1. GENERAL

Lassus ensures that (special) Personal Data of patients is handled with care. We comply with the applicable laws and regulations, including the General Data Protection Regulation. With this Privacy Regulation we want to inform you in more detail about our policy.

ARTICLE 2. DEFINITIONS

For clarity, we briefly state what we mean by certain terms:

1. 1.Personal data means any data by means of which the patient can be identified.
2. 2.Controller: the controller, as referred to in Article 4 paragraph 7 of the Regulation. For this privacy regulation the dental practice.
3. 3. Processing/Processing: a processing of Personal Data, whether or not carried out through automated processes, such as the collection, recording, organization, storage, updating, modification, retrieval, consultation, use, provision by means of transmission, dissemination or any other form of making available, bringing together, interconnection, as well as the blocking, erasure or destruction of Personal Data.
4. 4.Processor: the person who takes care of the Processing of Personal Data on behalf of the dental practice, without being subject to its direct authority, such as auxiliary persons hired by the Controller.
5. 5. Data Subject: the person to whom the Personal Data relates, generally the patient.
6. 6. Implementation Act: the General Data Protection Regulation Implementation Act.
7. 7. Regulation: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (OJEU 2016, L 119).
8. 8. Privacy Regulations: this document.
9. 9. Pseudonomized data: Personal data that can no longer be linked to a specific data subject without the use of additional data. This additional data is kept in such a way that it cannot be linked to an identifiable person.

ARTICLE 3. HOW DO WE GET THE DATA?

Personal Data is derived or derived from data provided orally and in writing by the Data Subject or the Data Subject’s legal representative. Personal Data may additionally be provided by the health insurance company, the general practitioner, other practitioners, specialists,
social workers or other persons or bodies other than the aforementioned.

ARTICLE 4. HOW AND WHY DO WE PROCESS DATA?

1. Processing shall be carried out in a manner that is lawful, proper and transparent with respect to the Data Subject. In addition, the collection of Personal Data is done for specified, explicit and legitimate purposes. Processing shall not be carried out in a manner incompatible with those purposes.
2. Processing for archiving in the public interest, scientific or historical research or statistical purposes shall not be considered incompatible with the original purposes.
3. The Processing is lawful only if and to the extent that at least one of the following conditions is met:
a. Consent of the Data Subject;
b. Entering into and performing a treatment (agreement);
c. Safeguarding a vital interest of the Data Subject, such as emergency;
d. Serving a legitimate interest of the Respondent or a third party (e.g., business continuity);
e. Necessity to fulfill a legal obligation or an agreement with the Data Subject.
4. Personal Data shall only be Processed insofar as they are adequate, relevant and limited to what is necessary in view of the purposes for which they are Processed.
5. The dental practice processes Personal Data for the following purposes:
a. Treating the Data Subject;
b. Informing and contacting Data Subject(s);
c. Financial administration;
d. Proper operation of the website.

ARTICLE 5. CONDITIONS OF CONSENT

1. The Controller can prove that the Data Subject has given consent to the Processing.
2. The Data Subject can withdraw a given consent at any time.

ARTICLE 6. OTHER DATA

Anonymized data does not fall within the scope of this Privacy Policy.

ARTICLE 7. WHAT DATA IS INVOLVED?

Processing may involve the following data categories:
a. Name, first names, initials, title, gender, date of birth, address, zip code, place of residence, telephone number and similar data necessary for communication, as well as payment data of the Data Subject;
b. An administration number containing no information other than under a;
c. Data referred to under a from the parents, guardians or caregivers of minor Data Subjects;
d. Data referred to in point a from the family or relatives of the Data Subject as well as others who are informed about the wellbeing and health of the Data Subject;
e. Information regarding the health status of the Data Subject and, in the case of hereditary conditions, his family and relatives;
f. Other special Personal Data with a view to the proper treatment or care of the Data Subject;
g. Information regarding the treatment followed and to be followed by the Data Subject as well as the medication or provisions provided;
h. Information regarding the calculation, recording and collection of reimbursement;
i. Information about the Data Subject’s insurance;
j. Other data necessary for the treatment.

ARTICLE 8. DUTY TO INFORM

1. Before Processing Personal Data, the Controller shall inform the Data Subject and/or his/her legal representative:
a. Who is responsible for the processing with contact details;
b. Why certain, specific Personal Data will be Processed;
c. If applicable, the contact details of the Data Protection Officer;
d. In what manner the Personal Data will be Processed;
e. The period for which the Personal Data will be stored or, if that is not possible, the criteria for determining that period;
f. Any other information that must be provided for the purpose of due diligence. This also means: The more sensitive the Personal Data that the Controller intends to Process, the more thorough information must be provided.
2. If Personal Data is requested through a third party, or supplied to a third party, the information obligation is fulfilled in the same way, before the Personal Data is obtained or supplied, unless this can only be done with a disproportionate effort
.

ARTICLE 9. RIGHT OF INSPECTION

1. The Data Subject has the right to inspect his/her Personal Data and may request the following information:
a. A description of the purpose or purposes of the Processing of Personal Data;
b. Any available information regarding the origin of the Personal Data;
c. The categories of data to which the Processing relates;
d. A list of recipients or categories of recipients who received the Personal Data;
e. If possible, the period for which the Personal Data is expected to be stored, or if that is not possible, the criteria for determining that period;
f. That the Data Subject has the right to rectification, the right to data erasure and the right to restrict processing.
2. A request for inspection may be denied on the following grounds:
a. The requester is not a Data Subject or his/her request does not concern data relating only to the requester;
b. The requester has not yet reached the age of 16 years and/or has been placed under guardianship.
In this case, only the legal representative can make the request;
c. Respondent has already recently complied with a similar request from the same Requestor;
d. Protection of the Data Subject or the rights and freedoms of others;
e. Because of State security, and/or the prevention, detection and prosecution of criminal offenses.

ARTICLE 10. OTHER RIGHTS

1. The Data Subject has the right to object at any time to the Processing of Personal Data concerning him/her. In the event of an objection, the Processing shall be discontinued by the Controller.
2. The Data Subject has the right to obtain from the Controller without delay rectification of inaccurate Personal Data concerning him.
3. The Data Subject shall have the right to obtain from the Controller the erasure of Personal Data concerning him/her without unreasonable delay.
In addition, the Controller is obliged to delete data without unreasonable delay when the Data Subject has withdrawn his consent or the Controller no longer needs the Personal Data for the purposes for which it was collected.
4. The Data Subject, if the accuracy of the Personal Data is disputed by him, has the right from the Controller to obtain restriction of the Processing.
5. The Data Subject shall have the right to obtain the Personal Data concerning him that he has provided to the Controller in a structured, common and machine-readable form.

ARTICLE 11. EXERCISE OF RIGHTS BY DATA SUBJECT

The Controller shall take appropriate measures so that the Data Subject receives the communication or information regarding the rights described in these Privacy Rules in a concise, transparent and accessible manner and in clear terms.

ARTICLE 12. ACCESS TO AND RECIPIENTS OF PERSONAL DATA

1. Access to Personal Data shall in principle only be granted to those directly involved in the performance of the Data Subject’s treatment, insofar as such access is necessary for their activities.
2. When a Processing is carried out on behalf of the Controller, the Controller shall only use Processors who provide adequate guarantees that the Personal Data are Processed in accordance with the Regulation, the Implementing Act or regulations based thereon.
3. Access/Personal Data may otherwise be granted to the following persons and bodies:
a. Investigators as referred to in Article 7:458 of the Civil Code;
b. Health insurers to the extent necessary in view of the obligations under the insurance contract;
c. Third parties charged with the collection of claims to the extent that access/disclosure is necessary and does not involve medical data;
d. Others, when the basis of the Processed Data is:
(i) Consent of the Data Subject;
(ii) A need to comply with a legal obligation;
(iii) Safeguarding a vital interest of the Data Subject.
e. Others, when further Processing is done for historical, statistical or scientific purposes, if the Controller has taken the necessary measures to ensure that further Processing is done solely for these purposes.

ARTICLE 13. REGISTRY

The Responsible Party shall keep a register of the processing activities carried out under its responsibility. This register shall contain the following information:
a. The name and contact details of the Controller and, if applicable, of the Data Protection Officer;
b. The processing purposes;
c. The categories of data covered by the Processing;
d. The categories of recipients to whom Personal Data will be disclosed;
e. If possible, the intended time period within which the Personal Data must be deleted;
f. If possible, a description of the technical and organizational measures taken.

ARTICLE 14. BREACH NOTIFICATION

1. If a Personal Data Breach has occurred, the Controller shall -if and to the extent required by law- notify the Data Subject and the Personal Data Authority as soon as possible after becoming aware of it.
2. The notification referred to in the first paragraph will include at least:
a. The nature of the breach;
b. The likely consequences of the breach;
c. The measures taken by the Controller as a result of the breach;
d. A contact point for more information.

ARTICLE 15. RETENTION PERIODS

1. Medical data obtained to enter into or fulfill a treatment agreement shall be kept for 20 years. The Controller shall not be obliged to keep longer retention periods than required by law, in particular article 7:454 paragraph 3 of the Civil Code.
2. Other Personal Data shall not be kept longer than necessary for the purposes for which they were Processed. If such Personal Data are no longer needed, they will be deleted.

ARTICLE 16. CONFIDENTIALITY

1. The Controller, the Processor and anyone who has access to Personal Data under the authority of the Controller are obliged to maintain the confidentiality of the Personal Data.
2. Data relating to the health of Data Subject(s) is considered ‘special Personal Data’. The Processing of special Personal Data is subject to a duty of confidentiality for anyone processing it. This arises from that person’s office, profession or employment contract.

ARTICLE 17. SECURITY

1. The Controller must ensure that appropriate technical and organizational measures are taken to secure Personal Data.
2. ‘Appropriate’ means that the security measures taken are appropriate to the risk that Personal Data will be (further) Processed carelessly or unlawfully and the damage that would result. The measures taken must ensure that:
a. Only authorized persons have access to Personal Data;
b. Personal Data is accurate and not lost;
c. The Personal Data are available without hindrance for lawful Processing according to the agreements within the organization.
3. In all cases, the Responsible Party shall ensure the information security policy and disseminate this policy within the dental practice.

ARTICLE 18. WEBSITE

1. The Lassus Dentists website uses cookies. Cookies are small text files sent by a website to the browser, after which the browser stores this data. On a subsequent visit to the website, the browser sends the stored data back to the website. Cookies come in all shapes and sizes. Lassus Dentists uses technical cookies, analytical cookies and marketing cookies. Below we explain what these cookies are used for.

Technical cookies
Technical cookies are necessary for the website to function properly. These cookies are necessary to ensure that you have an optimal user experience. No personal data is processed with the use of technical cookies.

Analytical cookies
Analytical cookies are used to collect information about how website visitors use and experience our website. This information allows us to optimize the website, monitor how the website works and improve the user experience. No personal data is processed with the use of
analytical cookies.

Marketing cookies
Marketing cookies, also known as tracking cookies, are used to track the browsing habits of website visitors across the Internet. If you have given your consent, we place tracking cookies to present personalized offers and discount promotions
through various online channels.

You consent to this processing when you check the box using the cookie notice. You can change your preference at any time through the cookie settings on the website. Lassus Dentists takes appropriate technical and organizational security measures to secure personal data against loss or against any form of unlawful processing. These measures are aimed at achieving an appropriate level of protection, given the risks involved in the processing and the nature of the data to be protected.
2. Retention period of data through the website
Lassus Dentists will not retain your data for longer than is necessary for the purposes for which the data was collected with a maximum duration of 2 years.
3. Management and access to the personal data of third parties
Subject to legal requirements in laws and regulations to that effect, only those entrusted with the management of the client file and/or those who are related or necessarily
involved in the processing of personal data, including employees and processors of Lassus Dentists, have access to the personal data.

Lassus Dentists uses the following online tools:
– Hotjar
– Facebook
– LiveZilla
– Google Analytics
– Mailchimp
– Vimeo

These online tools are used, among other things, to analyze the surfing behavior of website visitors, to collect website statistics and to send newsletters. The above parties, such as Facebook, have their own privacy statements and bear their own responsibility.

ARTICLE 19. FINAL PROVISIONS

1. The Data Subject does not accept more obligations than what it is obliged to do by law, unless otherwise agreed in writing with the Data Subject.
2. The Data Subject has the right to lodge a complaint with the supervisory authority.
3. Amendments to these Privacy Regulations shall be made by the Controller. The amendments to the Privacy Regulations are effective vis-à-vis Data Subjects after Data Subjects have been informed of the amendment.
4. This Privacy Policy is effective as of 25-05-2018 and available for inspection at the dental office.

For questions or to exercise the rights of Data Subject, please contact:
Address: Apollolaan 174, 1077 BH Amsterdam
Telephone: +31 (0)20 47 13 137
E-mail: administratie@lassus.nl