Privacy statement Balanskompass

PRIVACY DOCUMENT Veronica Kroon

I take privacy seriously. Your information is processed and used in a secure manner. This privacy statement explains how I handle your personal data.

Personal data I process

I process your personal data because you use my services and/or because you provide this data to me. Below is an overview of the personal data I process:

The following data is recorded in the collaboration agreement:

  1. Client's name, gender, occupation, address/postcode/city, phone numbers, email address, insurance company, relationship number, GP (name and address), client’s consent for notifying the GP, physical complaints, medication use, substance use (drug/alcohol use, etc.).
    Previous treatments (psychotherapeutic, psychological, psychosocial or psychiatric), current treatments (medical, psychological, psychiatric, alternative), practitioner, diagnosis, advice, results.
  2. Brief description of the presenting issue – complaint – problem (in a maximum of 10 sentences).
  3. Motivation to resolve the complaint (on a scale of 1 to 10).
  4. Therapy will be considered successful by me as a client when: (in a maximum of 10 sentences).
  5. How will you notice that you have achieved the above?: (in a maximum of 10 sentences).
  6. Date and location of the intake, with the client’s and therapist’s signatures. These details are filled in digitally by the client and signed. If sent encrypted, I will add it to the digital treatment file. If the client chooses to give it to me in printed form, I scan it, and the paper document is shredded. The digital treatment file contains a general record of the session content and methods used, to monitor the progress of the treatment.

Purpose and legal basis for processing personal data

In addition to the GDPR, the WGBO (Medical Treatment Contracts Act) and the codes of conduct of my professional association and the Register of Complementary Healthcare Professionals (RBCZ) apply to my work. These influence the purposes for which I record personal data.

For this reason, I handle personal data as follows:

  • Record-keeping obligation: Under the WGBO, I am required as a healthcare provider to maintain a medical file.
  • Retention period: The general rule for storing medical records under the WGBO is 20 years, calculated from the date each individual entry is recorded. This period may be extended if necessary for treatment (e.g., in the case of a chronic illness).
  • Confidentiality: As a therapist, I am bound by a professional code and the legally regulated medical professional confidentiality. Employees of a psychosocial or complementary practice are bound by a confidentiality agreement in their employment contract.

Automated decision-making

I do not make decisions based on automated processing that could have significant consequences for individuals. This refers to decisions made by computer programs or systems, without any human intervention by me.

Who has access to client records?

  1. I am a self-employed professional and the only person with access to client records. I am bound by a professional code of confidentiality. No one else has access to personal data.
  2. In peer review groups with colleagues, we discuss anonymised and unrecognisable case studies. This is always done in the best interest of the client's treatment.
  3. Appointments are made in an electronic calendar, which only I can access through my phone and laptop, both of which are password-protected.

How I protect personal data

I take the protection of your data seriously and take appropriate measures to prevent misuse, loss, unauthorised access, unwanted disclosure, and unauthorised modification. If you feel your data is not properly secured or suspect misuse, please contact me.

Technical security measures

  • Up-to-date antivirus software
  • Unique login codes and passwords for systems
  • Secure backups
  • Firewalls

Organisational security measures

  • Do not leave laptops/computers unattended or in the car
  • Clean desk policy
  • Careful use of USB sticks
  • Proper disposal of old documents

External individuals or companies with access to personal data

  1. I handle invoicing myself. My accountant processes my financial administration.
  2. I process client data in Word, not in an electronic environment, so no third parties are involved.
  3. Weekly backups of my data are made to a secure Dropbox vault.
  4. Since I send invoices by email (with the client’s permission), Outlook/Microsoft is jointly responsible for securely managing email traffic. You can read the Microsoft privacy statement here: https://privacy.microsoft.com/nl-nl/privacystatement

Sharing personal data with third parties

I only share your data with third parties if necessary for the execution of our agreement or to comply with a legal obligation.

Access, modify, or delete personal data

You have the right to access, correct, or delete your personal data. You also have the right to withdraw your consent for data processing or object to the processing of your personal data by me and have the right to data portability. Let me know if you wish to exercise these rights.

Handling data breaches

Since 1 January 2016, the data breach notification obligation applies. This means that organisations (including therapists) must immediately (within 72 hours of the breach) report a serious data breach to the Dutch Data Protection Authority. Sometimes, the breach must also be reported to the individuals involved (the people whose data was leaked).

When do I need to report a data breach? I only need to report a data breach to the Dutch Data Protection Authority if it leads to serious adverse consequences for the protection of personal data or if there is a significant chance that this will happen. This is the case if, due to the breach, either personal data has been lost (and you cannot recover it, and there was no backup), or unlawful processing of personal data cannot be excluded (someone may have had access to the data who was not authorised, and you do not have control over what they did or will do with the data). I only need to inform the affected individuals (the clients whose data I process) if a breach is likely to have adverse effects on their personal privacy. This could occur if sensitive data (e.g., health information) was leaked and could be misused by third parties.

  1. I understand when I need to report a data breach and will act accordingly. The only possible breach would be if my laptop were stolen, which I monitor closely.
  2. I have agreements in place with suppliers in the processor agreement, and I am notified in a timely manner if a data breach has occurred. In my case, this would only involve the hacking of my email.

Changes

This privacy statement may be modified. These changes will be announced via the website.

Questions

If you have any questions about this privacy statement, please contact me.

Veronica Kroon, BalansKompass