As of May 25, 2018, the General Data Protection Regulation (GDPR) applies. This is a new European privacy law. The AVG replaces the old Personal Data Protection Act (Wbp). The GDPR lists a number of mandatory measures that I, as a therapist, must comply with because I record data in client files.

Mandatory measures

The mandatory measures specifically mentioned by the GDPR are:

  1. keeping a register of processing activities;
  2. carrying out a security check of the digital client file (or having it carried out). (Inner-Tree has no digital file)
  3. keeping a register of data breaches that have occurred;
  4. demonstrating that a client has actually given permission for data to be recorded in the client file.

1. What personal data we collect and why we collect it


The Medical Treatment Contracts Act (WGBO) has required me, as your care taker, to create a file. This information is provided to each new customer in advance via a treatment agreement or “informed consent”. The information can also be found on this website in the Frequently Asked Questions/FAQ section.

Your file contains your name, address, date of birth, telephone number, e-mail address and, if you provide this, the relationship number of your health insurer. Your file contains my very brief notes and catchwords of things that are striking to me and a very short description of the session or its result. The file also contains information that is necessary for your treatment and that I have requested from another healthcare provider after your explicit permission. What I don’t include are notes about your health condition and data about examinations, treatments and sessions performed.

This data in the client file is kept for 20 years in accordance with the statutory retention period from the WGBO. After that period, or upon my death, your file will be destroyed. So there is no transfer as required.

We do our best to guarantee your privacy. This means, among other things, that we:

  • handle your personal and medical data carefully,
  • ensure that unauthorized persons do not have access to your data
  • as your treating therapist, I have sole access to the data in your file.

No information will be given to third parties (such as general practitioner, specialist, other therapist in case of transfer and/or referral), unless after your written permission; or when the law or my duty of care breaches the confidentiality.
The data from your file can also be used for the following purposes:

  • To inform personal injury insurers, for example about the course of the sessions. This will only happen with your explicit consent and after it is clear who pays the invoice.
  • For the use of taking over my watch, in my absence.
  • For the anonymized use during peer review.
  • Part of the data from your file is used for the financialadministration, so that I or my administrator, can prepare an invoice according to the requirements of the health insurers.
  • To send you personalized emails; with this you will receive updates and newsletters from my practice. Under no circumstances will your email address be given to anyone else. You can unsubscribe from the newsletters at any time.
  • To be able to make video calls when sessions are online.
  • If I want to use your data for another reason, I will first inform you and explicitly ask for your permission.


You have the right -by appointment- within the walls of the practice to inspect the file about you and all further rights arising from the General Data Protection Regulation (GDPR) related thereto. Costs are charged for the time of preparation and inspection.


The invoice you receive contains the information requested by the health insurer, so that you can declare this bill to your health insurer.

  • your name, address and place of residence
  • your date of birth
  • the date of the session
  • a brief description of the session
  • the cost of the session
  • If you have passed this on: your relationship number with the health insurer

The invoices (for care supplied) will be sent to you by e-mail.

When visitors leave comments on the site, we collect the data shown in the comments form, the visitor’s IP address and browser user agent string to help spam detection.

An anonymized string created from your email address (also called a hash) may be sent to the Gravatar service if you use it. The privacy policy page can be found here: After your comment has been approved, your profile picture will be publicly visible in the context of your comment.


If a visitor fills in the contact form, the entered data (such as name, e-mail address and telephone number) are recorded on our website and in the e-mail marketing program.


Introduction to cookies

What is a cookie?

We make use of cookies on this website. A cookie is a simple small file that is sent along with pages from this website [en/of Flash-applicaties] and is stored by your browser on the hard drive of your computer. The information stored therein can be sent back to our servers on a subsequent visit.

Use of permanent cookies

With the help of a permanent cookie we can recognize you when you visit our website again. The website can therefore be specially set to your preferences. We can also remember this by means of a cookie if you have given permission for the placing of cookies. As a result, you do not have to keep repeating your preferences, which saves you time and allows you to make more pleasant use of our website. You can delete permanent cookies via the settings of your browser.

Use of session cookies

With the help of a session cookie we can see which parts of the website you have viewed during this visit. We can therefore adapt our service as much as possible to the surfing behavior of our visitors. These cookies are automatically deleted as soon as you close your web browser.

Enabling and disabling cookies and deleting them.

More information about enabling and disabling and deleting cookies can be found in the instructions and/or using the Help function of your browser.

More information about cookies?

You can find more information about cookies on the following websites:
Consumers Association: “What are Cookies?
Consumers Association: “What are cookies for?
Consumers Association: “Delete cookies
Consumers Association: “Disable cookies
Your Online Choices: “A guide to online behavioural advertising””


With your permission, we place a cookie on your equipment, which can be requested as soon as you visit a website from our network. This allows us to find out that in addition to our website, you have also visited the relevant other website(s) from our network. The profile built up as a result is not linked to your name, address, e-mail address and the like, but only serves to match advertisements to your profile, so that they are as relevant to you as possible.


The data below is kept for the correct operation of the site or to improve the site.

When you visit this site, you will see a cookie preference bar. It indicates whether data may be shared with Google Analytics or Google Maps or Facebook. Only those anonymous data that are linked to your IP address are registered. With Analytics, this is stored forever.

When sharing a post via the “social sharing” button, your data will be passed on to the social media platform with which you share a blog.

When you leave a comment, that comment and the metadata of that comment will be saved forever. This way we can recognize and approve follow-up comments automatically instead of having to moderate them.

For users who register on our website (if applicable), we also store personal information in their user profile. All users can view, change or delete their personal information at any time (the username cannot be changed). Website administrators can also view and change this information.


When sessions are online, a video conferencing platform is used that meets the security requirements. In order to be able to make contact with each other, the platform records your e-mail address and your IP address with related data.


A cookie from the American company Google is placed via our website as part of the “Analytics” service. We use this service to keep track of and receive reports on how visitors use the website. Google may provide this information to third parties if Google is legally obliged to do so, or insofar as third parties process the information on behalf of Google. We have no influence on this. We have Google actually/not permitted to use the obtained analytics information for other Google services.

The information that Google collects is anonymized as much as possible. Your IP address is expressly not provided. The information is transferred to and stored by Google on servers in the United States. Google states that it adheres to the Safe Harbor principles and is affiliated with the Safe Harbor program of the US Department of Commerce. This means that there is an appropriate level of protection for the processing of any personal data.


A cookie from the American company ActiveCampaign is placed via our website as part of the CRM and email marketing service. We use this service as a customer database and to keep track of how visitors respond to emails. ActiveCampaign can only provide this information to third parties if it is required to do so by law. We have no influence on this. ActiveCampaign does not use the data for other services and the data remains the property of Inner-Tree.

The information is transferred to servers in the United States. ActiveCampaign states in their DPA that there is an adequate level of protection for the processing of personal data.


Our website includes buttons to promote (“like”) web pages or share them on social networks such as Facebook and Twitter.

These buttons work using pieces of code that come from Facebook or Twitter respectively. Cookies are placed through this code. We have no influence on that. Read the privacy statement of Facebook and Twitter respectively (which can change regularly) to read what they do with your (personal) data that they process via these cookies.

“The information they collect is anonymized as much as possible. The information is transferred to and stored by Twitter, Facebook, Google + and LinkedIn on servers in the United States. LinkedIn, Twitter, Facebook and Google + adhere to the Safe Harbor principles and are affiliated with the Safe Harbor program of the US Department of Commerce. This means that there is an appropriate level of protection for the processing of any personal data.”

You have the right to request access to and correction or deletion of your data. See our contact page for this. To prevent misuse, we may ask you to identify yourself adequately. When it comes to access to personal data linked to a cookie, you must also send a copy of the cookie in question. You can find this in the settings of your browser.

If you have an account on this site or have left comments, you can request an export file of the personal information we hold about you, including any information you have provided to us. You can also request that we delete any personal data we hold about you.

This does not contain any data that we are obliged to keep for a long period of time for tax-administrative, (care) legal or security purposes.

3. Data breach procedure


Click the link here to download.
Note 1: YES; Inner-Tree processes personal data on its own laptop, in the accounting package and in the e-mail package.
Note 2: NO
Note 3: NO; Inner-Tree does not work with large numbers of personal data. The client file contains sensitive data but is not stored electronically.
Note 4: NO; Identity fraud also requires a Social Security Number or bank account, which is not recorded by Inner-Tree.
Note 5: NO / YES; nothing is encrypted on the laptop, but there is an access password, a firewall and VPN; the accounting package is encrypted.
Inner-Tree does not have to report to those involved.

4. Processor Agreements

Inner-Tree has processing agreements with:

  • ActiveCampaign e-mailmarketing
  • Informer administration package
  • Webex videoconferencing