Introduction

As of May 25, 2018, the General Data Protection Regulation (GDPR) applies. This is a new European privacy law. The AVG replaces the old Personal Data Protection Act (Wbp). The GDPR lists a number of mandatory measures that I, as a therapist, must comply with because I record data in client files.

Mandatory measures

The mandatory measures specifically mentioned by the GDPR are:

keeping a register of processing activities;
carrying out a security check of the digital client file (or having it carried out). (Inner-Tree has no digital file)
keeping a register of data breaches that have occurred;
demonstrating that a client has actually given permission for data to be recorded in the client file.

1. What personal data we collect and why we collect it

CLIENTS DOSSIER

The Medical Treatment Contracts Act (WGBO) has required me, as your supervisor, to create a file. This information is provided to each new customer in advance via a treatment agreement or. “informed consent”. The information can also be found on this website in the Frequently Asked Questions/FAQ section.

Your file contains your name, address, date of birth, telephone number, e-mail address and, if you provide this, the relationship number of your health insurer. Your file contains my very brief notes and keywords of things that are striking to me and a very short description of the session or the result thereof. The file also contains information that is necessary for your treatment and that I have included after your explicit permission requested from another healthcare provider. What I do not include are notes about your state of health and data about examinations, treatments and sessions performed.

This data in the client file is kept for 20 years in accordance with the statutory retention period from the WGBO. After that period, or upon my death, your file will be destroyed. So there is no transfer as required.

We do our best to guarantee your privacy. This means, among other things, that we:

careful handling of your personal and medical data,
ensure that unauthorized persons do not have access to your data
as your treating therapist, I have sole access to the data in your file.

No information will be given to third parties (such as general practitioner, specialist, other therapist in case of transfer and/or referral), unless after your written permission; or when the law or my duty of care breaches confidentiality.
The data from your file can also be used for the following purposes:

To inform personal injury insurers, for example about the course of the sessions. This only happens with your explicit permission and after it is clear who pays the invoice.
For the use of observation, in my absence.
For the anonymized use during peer review.
Part of the data from your file is used for the financial administration, so that I or my administrator can draw up an invoice in accordance with the requirements of the health insurers.
To send you personalized emails; with this you will receive updates and newsletters from my practice. Under no circumstances will your email address be given to anyone else. You can unsubscribe from the newsletters at any time.
To be able to make video calls when sessions are online.
If I want to use your data for another reason, I will first inform you and explicitly ask for your permission.

CLIENTS DOSSIER AND YOUR RIGHTS

You have the right -by appointment- within the walls of the practice to inspect the file about you and all further rights arising from the General Data Protection Regulation (GDPR) related thereto. Costs are charged for the time of preparation and inspection.

CLIENTS DOSSIER AND CARE NOTE

The care bill you receive contains the information requested by the health insurer, so that you can declare this bill to your health insurer.

your name, address and place of residence
your date of birth
the date of the session
a brief description of the session
the cost of the session
If you have passed this on: your relationship number with the health insurer

The invoices (care notes) will be sent to you by e-mail.

OWN WEBSITE: REACTIONS
When visitors leave comments on the site, we collect the data shown in the comments form, the visitor’s IP address and browser user agent string to help spam detection.

An anonymized string created from your email address (also called a hash) may be sent to the Gravatar service if you use it. The privacy policy page can be found here: https://automattic.com/privacy/. After your comment has been approved, your profile picture will be publicly visible in the context of your comment.

OWN WEBSITE: CONTACT FORM

If a visitor fills in the contact form, the entered data (such as name, e-mail address and telephone number) are recorded on our website and in the e-mail marketing program.

OWN WEBSITE: COOKIES

Introduction to cookies

What is a cookie?

We make use of cookies on this website. A cookie is a simple small file that contains pages from this website [and/or Flash applications] is sent along and stored by your browser on your computer’s hard drive. The information stored therein can be sent back to our servers on a subsequent visit.

Use of permanent cookies

With the help of a permanent cookie we can recognize you when you visit our website again. The website can therefore be specially set to your preferences. We can also remember this by means of a cookie if you have given permission for the placing of cookies. As a result, you do not have to keep repeating your preferences, which saves you time and allows you to make more pleasant use of our website. You can delete permanent cookies via the settings of your browser.

Use of session cookies

With the help of a session cookie we can see which parts of the website you have viewed during this visit. We can therefore adapt our service as much as possible to the surfing behavior of our visitors. These cookies are automatically deleted as soon as you close your web browser.

Enabling and disabling cookies and deleting them.

More information about enabling and disabling and deleting cookies can be found in the instructions and/or using the Help function of your browser.

More information about cookies?

You can find more information about cookies on the following websites:
Cookierecht.nl
Consumers Association: “What are cookies?”
Consumers Association: “What are cookies for?”
Consumers Association: “Delete cookies”
Consumers’ Association: “Disable cookies”
Your Online Choices: “A guide to online behavioral advertising””

COOKIES: OURSELVES

With your permission, we place a cookie on your equipment, which can be requested as soon as you visit a website from our network. This allows us to find out that in addition to our website, you have also visited the relevant other website(s) from our network. The profile built up as a result is not linked to your name, address, e-mail address and the like, but only serves to match advertisements to your profile, so that they are as relevant to you as possible.

COOKIES: PREFERENCES BAR WHEN OPENING THE WEBSITE

The data below is kept for the correct operation of the site or to improve the site.

When you visit this site, you will see a cookie preference bar. It indicates whether data may be shared with Google Analytics or Google Maps or Facebook. Only those anonymous data that are linked to your IP address are registered. With Analytics, this is stored forever.

When sharing a post via the “social sharing” button, your data will be passed on to the social media platform with which you post a blog shares.

When you leave a comment, that comment and the metadata of that comment will be saved forever. This way we can recognize and approve follow-up comments automatically instead of having to moderate them.

For users who register on our website (if applicable), we also store personal information in their user profile. All users can view, change or delete their personal information at any time (the username cannot be changed). Website administrators can also view and change this information.

COOKIES: PLATFORM IMAGE CALLS

When sessions are online, a video conferencing platform is used that meets the security requirements. In order to be able to make contact with each other, the platform records your e-mail address and your IP address with related data.

COOKIES: GOOGLE ANALYTICS TRACKING

A cookie from the American company Google is placed via our website as part of the “Analytics” service. We use this service to keep track of and receive reports on how visitors use the website. Google may provide this information to third parties if Google is legally obliged to do so, or insofar as third parties process the information on Google’s behalf. We have no influence on this. We have/did not allow Google to use the obtained analytics information for other Google services.

The information that Google collects is anonymized as much as possible. Your IP address is expressly not provided. The information is transferred to and stored by Google on servers in the United States. Google states that it adheres to the Safe Harbor principles and is affiliated with the Safe Harbor program of the US Department of Commerce. This means that there is an appropriate level of protection for the processing of any personal data.

COOKIES: ACTIVE CAMPAIGN TRACKING

A cookie from the American company ActiveCampaign is placed via our website as part of the CRM and email marketing service. We use this service as a customer database and to keep track of how visitors respond to emails. ActiveCampaign can only provide this information to third parties if it is required to do so by law. We have no influence on this. ActiveCampaign does not use the data for other services and the data remains the property of Inner-Tree.

The information is transferred to servers in the United States. ActiveCampaign states in their DPA that there is an adequate level of protection for the processing of personal data.

COOKIES: SOCIAL MEDIA

Our website includes buttons to promote (“like”) web pages or share them on social networks such as Facebook and Twitter.

These buttons work using pieces of code that come from Facebook or Twitter respectively. Cookies are placed through this code. We have no influence on that. Read the privacy statement of Facebook and Twitter respectively (which can change regularly) to read what they do with your (personal) data that they process via these cookies.

“The information they collect is anonymized as much as possible. The information is transferred to and stored by Twitter, Facebook, Google + and LinkedIn on servers in the United States. LinkedIn, Twitter, Facebook and Google + adhere to the Safe Harbor principles and are affiliated with the Safe Harbor program of the US Department of Commerce. This means that there is an appropriate level of protection for the processing of any personal data.”

RIGHTS OVER YOUR DATA
You have the right to request access to and correction or deletion of your data. See our contact page for this. To prevent misuse, we can ask you to do so

agent to adequately identify you. When it comes to access to personal data linked to a cookie, you must also send a copy of the cookie in question. You can find this in the settings of your browser.

If you have an account on this site or have left comments, you can request an export file of the personal information we hold about you, including any information you have provided to us. You can also request that we delete any personal data we hold about you.

This does not contain any data that we are obliged to keep for a long period of time for tax-administrative, (care) legal or security purposes.

3. Data breach procedure

EXPLANATION ON PDF STEP PLAN

Click here on the link to download.
Note 1: YES; Inner-Tree processes personal data on its own laptop, in the accounting package and in the e-mail package.
Note 2: NO
Note 3: NO; Inner-Tree does not work with large numbers of personal data. The client file contains sensitive data but is not stored electronically.
Note 4: NO; Identity fraud also requires a BSN or bank account, which is not recorded by Inner-Tree.
Note 5: NO / YES; nothing is encrypted on the laptop, but there is an access password, a firewall and VPN; the accounting package is encrypted.
Inner-Tree does not need to notify data subjects.