Within Work With Care, we attach great importance to the careful and secure handling of your personal data. We therefore process these data in strict accordance with the General Data Protection Regulation (AVG) and the specific healthcare legislation. In this privacy statement, we clearly explain which data we process, why we do so, how we secure it and what rights you have.

1. Who we are

Controller:

Work With Care
Address: Zadelmakerstraat 44, 1991 JE Velserbroek
Chamber of Commerce number: 66620961
Phone number: 023-2084030
E-mail: info@work-with-care.nl
Data Protection Officer (FG): Ron Klaver – ron@work-with-care.nl

As a practice, Work With Care facilitates the framework conditions for the therapists who treat you. For the general personal data, website and administration, we are the data controller. For medical reporting in the Electronic Patient Record (EHR), the independent therapist treating you is the data controller.

2. What personal data we process

We process your data only when necessary for our services, legal obligations or when you give your explicit consent.

2.1 General personal data

• First and last name
• Address information (street, house number, zip code, city)
• Date of birth
• Citizen service number (BSN) – only if required by law for claims with health insurance companies
• phone number
• Email address
• Insurance information (name of health insurance company, policy number)
• Payment and billing information (bank account number if necessary)
• Contact history (email, phone, website forms, correspondence)

2.2 Special personal data (health data)

This data is only processed with your explicit consent (Article 9 paragraph 2 sub a AVG) or if necessary for the provision of physiotherapeutic care:

• Nature of the complaint or condition
• Medical history and anamnesis
• Diagnostic findings and treatment plans
• Test results, measurements and progress reports
• Referrals to and from other health care professionals (general practitioner, specialist)
• Reporting of consultations, treatments and therapy courses

2.3 Website and cookie data

When visiting our website, we process:

• IP address (anonymized where possible)
• Browser and device information
• Page visits and click behavior
• Cookie preferences

Cookies are placed only with your consent. Complianz records your cookie preferences. For more information, see section 9.

2.4 Source of data

We collect personal data directly from you through:

• Intake and application forms
• Telephone or e-mail correspondence
• Consultations and treatment sessions.
• Contact forms on our website

In some cases, we receive data indirectly from your primary care physician or other referring health care providers only with your prior consent or based on a legal basis.

3. Purposes and bases of processing.

We process your personal data only for specific purposes and on a lawful basis as referred to in the AVG.

3.1 Performance of the Agreement (Article 6(1)(b) AVG)

Purposes: Provision of physical therapy care, scheduling of appointments, treatment communication, declarations to health insurers
Data processed: Name, address, date of birth, BSN (if required), phone number, e-mail, insurance information, health data (complaints, treatment plans, medical history)
Retention period: Medical records at least 20 years after last treatment (Wkkgz)

3.2 Legal obligations (Article 6(1)(c) AVG)

Purposes: Fulfillment of tax obligations, administrative obligations, quality of care requirements
Data processed: BSN (for claims), billing information, treatment records
Retention period: Financial administration 7 years (Tax Act)

3.3 Express consent (Article 9(2)(a) AVG)

Purposes: Processing special personal data (health data) for healthcare services, newsletters, marketing communications
Data processed: Medical complaints, diagnoses, treatment results, email address for newsletters
Retention period: Until withdrawal of consent (for marketing); 20 years for medical data

3.4 Legitimate interest (Article 6(1)(f) AVG)

Purposes: Service improvement, website optimization, security and fraud prevention, internal business operations
Data processed: IP address (anonymized), website usage, contact history
Retention period: Up to 2 years after last contact, unless longer required by law

4. Disclosure to third parties

We do not provide your personal data to third parties unless it is necessary for our services, pursuant to a legal obligation, or with your express consent.

4.1 Recipients within the European Economic Area (EEA)

Health Insurers: For claims and processing reimbursements (with your permission)
Healthcare Professionals: General practitioners, specialists or other practitioners (only with your permission)
Processors :

• SmartFile BV – electronic health record (EHR) system.
• Hosting provider – Cloud86
• Email service – Cloud86
• Email service – Healthcare Domain
• E-mail service – Connect4Care
• Complianz – cookieconsent management
• Newsletter Brevo
• Payment provider – Mollie

We have processor agreements with all processors that set out agreements on the security and confidentiality of your data.

4.2 International transfer (outside EEA).

In principle, we do not provide personal data to recipients outside the EEA. However, should this be necessary in the future (for example, when using certain cloud solutions), we will ensure appropriate safeguards such as approved Standard Contractual Clauses (SCCs) or an adequacy decision from the European Commission. We assess this on a case-by-case basis via a Transfer Impact Assessment (TIA)

4.3 Legal authorities

We may provide your data to government agencies (such as police, judiciary, tax authorities) if we are required to do so by law or if it is necessary for the protection of our legitimate interests.

5. Retention periods

We do not retain your personal data longer than necessary for the purposes for which it was collected or pursuant to legal obligations.

Medical records: At least 20 years after last treatment (in accordance with Wkkgz and Wgbo)
Financial records: 7 years (in accordance with Tax Act)
General correspondence: Maximum 2 years after last contact
Newsletter subscriptions: Until withdrawal of consent
Cookie data: According to settings Complianz (usually 12 months)
Website analytics: Maximum 26 months (anonymized IP address)

6. Security of your data

We take the protection of your personal data very seriously and have taken appropriate technical and organizational measures to secure your data against loss, unauthorized access, unlawful use and disclosure.

Our security measures include:

• Encrypted storage of digital data (TLS/SSL security)
• Strict access management: only authorized personnel have access to medical records
• Use of strong passwords and two-factor authentication where possible
• Regular software updates and security patches
• Physical security of paper files in locked rooms
• Employee confidentiality statements
• Processor agreements with all external parties
• Privacy Impact Assessments (PIA) for new processing operations
• Annual review of security measures

7. Your rights as a data subject

Under the AVG, you have several rights with respect to your personal data. You can exercise these rights by contacting us at info@work-with-care.nl.

7.1 Right of inspection (Article 15 AVG)

You have the right to access the personal data we process about you. We will send you a copy of your data within one month (this may be extended by two months in exceptional cases).

7.2 Right of rectification (Article 16 AVG)

If your information is incorrect or incomplete, you may request that we correct or supplement it.

7.3 Right to erasure / ‘right to oblivion’ (Article 17 AVG)

You can ask us to delete your personal data. We comply with this, unless there is a legal basis or obligation to keep the data longer (for example, medical records that must be kept for 20 years).

7.4 Right to restriction of processing (Article 18 AVG)

You can request that the processing be restricted, for example, if you dispute that the data is accurate, or if you have objected to the processing.

7.5 Right to data portability (Article 20 AVG)

You have the right to receive your personal data in a structured, common and machine-readable format and to transfer it to another organization (to the extent technically possible).

7.6 Right to object (Article 21 AVG)

You may object to the processing of your personal data if it is based on legitimate interest. We will assess your objection and stop processing unless we have compelling legitimate grounds to continue.

7.7 Right to withdraw consent (Article 7(3) AVG)

If the processing is based on your consent, you may withdraw this consent at any time. This does not affect the lawfulness of the processing prior to the withdrawal.

7.8 Filing a complaint with the Personal Data Authority.

Are you not satisfied with the way we handle your data? Then you can file a complaint with the Personal Data Authority:

Personal Data Authority
PO Box 93374
2509 AJ The Hague
Website: www.autoriteitpersoonsgegevens.nl

8. Automated decision-making and profiling.

Work With Care does not use automated decision-making or profiling that uses personal data to evaluate certain personal aspects, such as work performance, economic situation, health, personal preferences or behavior.

9. Data breach

Despite our security measures, a data breach can never be completely ruled out. Should a data breach occur, we will take immediate action.

Duty to Report: If a data breach is likely to pose a risk to your rights and freedoms, we will report it to the Personal Data Authority within 72 hours.

Duty to inform: If the leak involves a high risk to you, we will inform you as soon as possible, along with recommendations to mitigate any adverse consequences. We document all incidents internally, even if they are not reportable.

10. Cookies and similar technologies

Our website uses cookies. A cookie is a small text file that is stored in the browser of your computer, tablet or smartphone the first time you visit a website.

10.1 Types of cookies

Functional cookies: Ensure that the website works properly (e.g. language preference, login details). No consent is required for these.
Analytical cookies: Help us understand how visitors use the website (e.g. Google Analytics with anonymized IP address). For this, we ask your permission.
Marketing cookies: Used to show ads that are relevant to you. These cookies are set only with your permission.

10.2 Consent and cookie banner

On your first visit to our website, you will see a cookie banner (managed by Complianz) where you can choose which cookies you accept. You can change your preferences at any time by adjusting your browser settings or via the cookie banner at the bottom of the website.

10.3 Deleting cookies

You can delete cookies through your browser settings. Please note that disabling cookies may limit the functionality of the website.

11. Minors

If you are under 16 years of age, we will ask you for permission from a parent or legal representative before sharing personal data with us. The processing of medical data of minors between the ages of 12 and 16 is subject to special rules as laid down in the Wgbo. For children under 12, parental consent is always required.

Parents or guardians have the right to inspect their child’s data and request correction or deletion, unless the minor has entered into a treatment agreement themselves (Article 7:450 of the Civil Code).

12. Changes to this privacy statement

We reserve the right to make changes to this privacy statement. The most recent version can always be found on our website. In case of significant changes, we will notify you via email or a notification on the website.

We recommend that you review this privacy statement periodically so that you are aware of any changes.

13. Questions or complaints

Do you have questions about this privacy statement or how we process your personal data? If so, please contact us:

Work With Care
Zadelmakerstraat 44
1991 JE Velserbroek
E-mail: info@work-with-care.nl
Data Protection Officer: ron@work-with-care.nl
Phone number: 023-2084030