HZK Privacy statement

This privacy statement applies to the processing of personal data by HZK Ondersteuningsorganisatie BV, hereinafter referred to as “HZK”.


About HZK

HZK focuses on supporting affiliated general practitioner practice owners in the field of practice ownership and the organization of multidisciplinary care and collaboration in the South and Central Kennemerland region, including chronic care, elderly care, and mental health care (hereinafter: collectively ‘region contracted care’).

In this context, HZK processes personal data of, among others, patients, general practitioner practice owners, their employees, and other care providers (chain partners) in the role of controller and processor. This privacy statement relates to the data that HZK processes in the role of controller.


Processing of personal data by HZK

The protection of personal data is very important to HZK. HZK respects your privacy and ensures that your personal data is always treated confidentially and in accordance with applicable privacy legislation.


Purposes of processing

Your personal data is processed by HZK for the following purposes:

1. Supporting the care tasks of GP practice owners in the area of regional contracted care, including:

  • Making available an IT system for regional contracted care provision in which GP practice owners and chain partners can register and/or view the region contracted care provided to you (if applicable);
  • Managing the IT system for regional contracted care provision, including granting access to this system to GP practice owners affiliated with HZK and other chain partners who are involved in your care provision (if applicable), so that they can provide the region contracted care provided to you in a proper and informed manner. However, chain partners are only granted access to this system at the request of an HZK-affiliated GP practice owner with whom you are being treated and who has referred you to these chain partners. Depending on the applicable situation, you will therefore first be asked for permission for this;
  • the financial settlement of the (provided) region-contracted care, including submitting claims to and accounting to health insurers;
  • the preparation of traceable quality reports for a general practitioner practice owner affiliated with HZK with whom you are a patient, in order to assess, evaluate, and improve the region-contracted care provided by this practice owner and their practice management;
  • the preparation of anonymized quality reports for all general practitioner practice owners affiliated with HZK in order to assess, evaluate, and improve the region-contracted care provided throughout the entire region;


2. the conclusion and execution of an agreement, including:

  • calculating, recording, and collecting amounts due, including placing claims in the hands of third parties;
  • maintaining the administration, as well as other activities of internal management;


3. the provision of information, including:

  • to be able to contact you and respond to questions asked by you;
  • to inform you about new developments at HOZK;


4. improving the services of HZK;


5. (statutory) obligations, including:

  • handling disputes and conducting audits;
  • complying with requests by government authorities;
  • complying with statutory obligations, such as the obligation to maintain records and retain documents, including the obligation to retain medical records pursuant to the Medical Treatment Agreement Act (Wgbo).


Legal basis for processing

The legal basis for the aforementioned processing purposes lies in (at least one of the following):

  • the consent given by you;
  • taking pre-contractual measures at your request and/or the execution of the agreement concluded with you (including a treatment agreement for the provision of regionally contracted care);
  • compliance with statutory obligations (such as submitting claims to the health insurer or the record-keeping obligation that HZK has under the Wgbo regarding medical records);
  • the pursuit of legitimate interests of HZK or of a third party (such as conducting quality reports).

For the purposes for which the legitimate interest of HZK forms the legal basis, you may object to these processing operations on the basis of the right of objection. You will find more information about that right further on in this statement.


Mandatory provision

When we ask you for personal data, we will indicate per situation whether the provision of the data is necessary or mandatory and what the (possible) consequences are if the data is not provided. The guiding principle is always that HOZK will not process more personal data than is necessary for the purposes described above.


Exchange with third parties

For optimal service provision, we share your personal data with our partners (processors). This includes partners who maintain our website, email system, and IT system. These partners process the personal data only on instruction and for the benefit of HZK.

In the following cases, HZK shares your personal data with third parties (such as general practitioner practice owners and other chain partners) who (further) process the data for their own purposes (at least one of the following):

  • these parties are directly involved in the execution of the medical treatment agreement for the provision of regionally contracted care;
  • you have given your prior consent for the relevant provision;
  • HZK is legally obliged to provide data;
  • the handling (or having handled) of (legal) disputes and proceedings;
  • for the necessary protection of rights or freedoms of you, HZK, or third parties;

The relevant parties further process the data in accordance with their own privacy statement.


Automated decision-making and profiling

HZK makes use of profiling on a (very) limited scale. The profiling consists of categorizing files so that they can be displayed in overviews by category.


International Data Transfer

In principle, your data is processed within the borders of the European Economic Area (EEA). To the extent that personal data is transferred to countries outside the EEA (third countries), HZK takes measures to ensure an appropriate level of protection. Furthermore, where possible, HZK bases transfers to third countries on an adequacy decision adopted by the European Commission. If the European Commission has not adopted an adequacy decision for a third country, HZK takes appropriate safeguards by basing the transfer on and complying with standard contractual clauses established by the European Commission.


Retention Period

Your data is never retained longer than necessary or legally required. Based on our record-keeping obligation, we are required to retain certain data for seven years. Additionally, based on our record-keeping obligation under the Wgbo, we are required to retain data belonging to your medical file for a period of 20 years (after the last change in your file).


Security of personal data

HZK will take (or have taken) appropriate technical and organizational measures to protect personal data against loss or any form of unlawful processing. In this context, various measures have been taken, including data encryption, encrypted communication, and treating the data as confidential.


Your rights

As described in the General Data Protection Regulation (GDPR), you have a number of rights that we will fulfill free of charge and within 30 days upon your request. Should answering your question/request unexpectedly take more time, we will inform you of this within one month. Due to the complexity of the requests and/or the number of requests, the response time may extend to a total of three months.


We have listed the rights below:

Right of access: you can view the personal data processed by HZK.
Right to rectification and erasure: you can have data modified or deleted.
Right of objection: you can always unsubscribe from, for example, email newsletters. We will resolve your objection to the non-commercial use of your personal data, for example for our administration, through mutual consultation.
Right to restriction: if you believe that we do not hold the correct personal data about you, you have the right to have your data temporarily ‘frozen’.
Right to data portability: you can have your data transferred by us to another responsible party in a common machine-readable format.
Withdrawal of consent: If you have given HOZK permission to use your personal data, you can withdraw this consent at any time. You always have the right to withdraw consent once given. We will then immediately cease processing.

If you wish to exercise your rights, you can contact us via info@hzk.nl. We will process your request as soon as possible. In some situations, it will be the case that not HZK but another party (such as the GP practice owner) is responsible for handling your request. In that case, HZK will forward your request to this other party as soon as possible and inform you accordingly.


Supervisory Authority

Furthermore, you are always free to file a complaint with the supervisory authority. The supervisory authority for privacy legislation is the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). You can find the contact details of the Dutch Data Protection Authority via the website www.autoriteitpersoonsgegevens.nl.


Changes

This privacy statement may be amended. These changes will be announced on the HZK website.
HOZK may process your personal data for new purposes that are not yet listed in this privacy statement. In that case, we will inform you about this to give you the opportunity to refuse your participation.


Questions and contact details

If you have questions about this privacy statement or our privacy policy, or wish to exercise one of your legal rights, you can contact us via info@hzk.nl.

Click here for the printable version of this privacy statement.