Privacy Statement

  1. Introduction In this statement, MiniDis outlines how it handles personal data and privacy on a daily basis, and what is legally permissible and impermissible. Privacy plays a significant role in the relationship between MiniDis and its customers. Protecting privacy is complex and becoming increasingly so due to technological advancements, decentralizations, significant safety challenges, and new European legislation. Therefore, we find it important to be transparent about how we handle personal data and ensure privacy protection. 


    Legislation and Definitions
    The General Data Protection Regulation (GDPR) builds on the Dutch Data Protection Act (Wbp) and strengthens and expands privacy rights with more responsibilities for organizations. 

    The following terms are used in the GDPR (Article 4, GDPR): 

    • Data Subject: The person to whom the personal data pertains. The data subject is the individual whose data is being processed. 
    • Controller: The person or organization that determines the purposes and means of the processing. 
    • Processor: The person or organization that processes personal data on behalf of another person or organization. 
    • Personal Data: Any information relating to an identified or identifiable individual. This includes not only confidential data, such as health information, but any data that can be traced back to a particular person (e.g., name, address, date of birth). 
    • Special Categories of Personal Data: These are data concerning sensitive subjects, such as health information, ethnic background, political opinions, or the Citizen Service Number (BSN). 
    • Data Protection Impact Assessment (DPIA): A DPIA assesses the effects and risks of new or existing processing activities on privacy protection. This is also known as a Privacy Impact Assessment (PIA). 
    • Processing: Any operation or set of operations performed on personal data, such as recording, storing, collecting, combining, disclosing to another party, and destroying. 

    Scope This regulation applies to all personal data processing activities by all departments within the organization. In other words, it applies to all processing activities within the organization. 

    Processing (Article 4, GDPR) Processing of personal data includes any operation or set of operations performed on personal data, whether or not by automated means. Under the GDPR, processing includes: 

    • Collecting, recording, and organizing 
    • Storing, updating, and modifying 
    • Retrieving, consulting, using 
    • Disclosing by transmission 
    • Dissemination or otherwise making available 
    • Aligning or combining 
    • Restricting, erasing, or destroying data 

    From this list, it is clear that any action performed on personal data constitutes processing. 

    Purposes (Article 5, GDPR) Personal data may only be processed if a purpose has been established. The purpose must be explicitly described and justified. Data may not be processed for other purposes. 

    Lawful Basis (Article 6, GDPR) Processing of personal data must have a lawful basis. This means that processing may only take place: 

    • To comply with a legal obligation 
    • For the performance of a contract to which the data subject is a party 
    • To combat a serious threat to the health of the data subject 
    • For the proper fulfillment of an agreed task 
    • When the data subject has given consent for the specific processing 

    Method of Processing The main rule for processing personal data is that it is only allowed in accordance with the law and in a careful manner. Personal data is collected as much as possible from the data subject themselves. The law assumes subsidiarity, meaning that processing is only allowed when the purpose cannot be achieved in another way. The law also mentions proportionality, meaning that personal data may only be processed if it is proportional to the purpose. If the same purpose can be achieved with no, or fewer (burdensome), personal data, that option must always be chosen. MiniDis ensures that personal data is accurate and complete before it is processed. This data is only processed by individuals with a duty of confidentiality. Additionally, MiniDis secures all personal data to prevent unauthorized access or modification. This is outlined in the information security management system compliant with ISO 27001. 

    Transfer (Articles 44-50, GDPR) MiniDis does not transfer personal data to a country outside the European Economic Area (EEA) or to an international organization. 

    Duty to Inform (Articles 13, 14, GDPR) MiniDis informs data subjects about the processing of personal data. When data subjects provide information to MiniDis, they are informed about how the organization will handle personal data. This is done via the privacy statement on the website and through the privacy policy. MiniDis receives personal data from insured individuals via its customers. These personal data are not received directly from the insured individuals. Therefore, MiniDis has made agreements with the insurer regarding the processing of personal data of its insured individuals. 

    Informing the insured individuals about the manner of processing personal data will primarily be done by the insurer. However, MiniDis may also be asked about the manner in which personal data of insured individuals are processed. Legally, the insured individual has the same rights towards the insurer as towards MiniDis. 

    Deletion MiniDis does not retain personal data longer than necessary for the performance of control activities. When personal data is no longer needed to achieve the purpose, it is deleted as soon as possible. This means that the data is destroyed or altered in such a way that the information can no longer be used to identify someone. 

    Rights of Data Subjects (Articles 13-20, GDPR) The GDPR also defines the rights of individuals whose data is being processed. These rights are known as the rights of data subjects and include the following: 

    • Right to Information: Data subjects have the right to ask MiniDis whether their personal data is being processed; 
    • Right of Access: Data subjects have the opportunity to check whether and how their data is being processed; 
    • Right to Rectification: If it becomes clear that the data is incorrect, the data subject can request MiniDis to correct it; 
    • Right to Object: Data subjects have the right to ask MiniDis to stop using their personal data; 
    • Right to Erasure: In cases where the data subject has given consent for processing, the data subject has the right to have their personal data deleted; 
    • Right to Object: Data subjects have the right to object to the processing of their personal data. MiniDis will comply unless there are legitimate grounds for the processing. 

    Submitting a Request To exercise their rights, data subjects can submit a request. This request can be made in writing or via email. MiniDis has four weeks from receipt of the request to assess whether the request is justified. Within four weeks, MiniDis will inform the data subject of the outcome. If the request is not followed, there is the possibility to appeal to the Security Officer or to file a complaint with the Dutch Data Protection Authority (AP). Based on a request, MiniDis may request additional information to verify the identity of the data subject. The Security Officer can be reached via the general contact details of MiniDis. 

    Obligations of MiniDis Data Protection Impact Assessment (Article 35, GDPR) 

    A Data Protection Impact Assessment assesses the effects and risks of new or existing processing activities on privacy protection. MiniDis conducts this when there is automated processing, large-scale processing, or large-scale monitoring of special categories of data. This is particularly important for processing activities involving new technologies. 

     

 

Main Menu