Medicoo Privacy Statement
About this service
This service allows you to ask nurses and doctors questions about your health via the App. This service was developed by TWA Medic-Info BV (hereafter: Medicinfo). Medicinfo is also the party that performs the service and who, in this context, processes your personal data if you use this service.
You can also use this service to ask a healthcare question for another person, such as your child or someone else you care for. In that case, the conditions of this Privacy Statement apply to both you and the person to whom the question relates.
When using the Medicoo Service, your may be case eligible for a digital consultation with a GP, i.e., via video call. In this case, you can choose whether to make use of a Video Consultation.
Medicinfo’s clients (including health insurance providers) enable you to use these services, but these parties are not usually involved in any way themselves. They also have no access whatsoever to personal and medical data that can be traced back to individual persons.
One exception to this rule is when the Medicoo Service is offered by your own GP, GP practice, or medical centre and they also play a role in implementing the service, is informed about it (with your permission), or they declare the transaction performed (via EHIC) to your own foreign health insurance provider.
Medicinfo determines the entire interpretation and implementation process of the Medicoo Service and is therefore the so-called processor in the sense of the General Data Protection Regulation (GDPR) for the processing of personal data. The contact details for Medicinfo are as follows:
- Postal address: Dr Anton Philipsweg 31, 5026 RK, Tilburg
- Email address: firstname.lastname@example.org
In the case of a Video Consultation with a GP, the GP is independently responsible for conducting the Video Consultation. Personal data is then processed on the basis of the treatment agreement with the GP, which either already exists or was established during the first (video) consultation.
There is joint responsibility when it comes to determining, recording, and verifying the identity of the patient: Medicinfo requests and records your ID information, and the GP uses it to verify your identity.
Data Protection Officer (hereinafter: DPO)
Medicinfo has appointed a DPO to ensure that the processing of personal data takes place in a secure manner, in accordance with the requirements and guidelines set by law. You can direct any questions about the privacy aspects of data processing to the DPO. The contact details for the DPO are as follows:
- Postal address: Medicinfo Attn: the DPO, Dr Anton Philipsweg 31, 5026 RK, Tilburg
- Email address: FG@medicinfo.nl
We are committed to protecting your privacy. In this Privacy Statement, we inform you about matters such as (1) the personal data that we process in the App, (2) the purposes for which we use personal data, (3) the legal basis for processing, (4) where we store personal data and how long we keep personal data, (5) the parties with which we may share personal data, (6) your rights and how you can exercise them, and (7) the security of personal data.
1. The personal data that we process
We process the following personal data concerning you and/or the person for whom the healthcare request is made:
- First name + Last name;
- Date of birth;
- Citizen Service Number (BSN);
- Phone number.
If you are not insured for healthcare in the Netherlands but are insured in another country within the EEA, we will also process these data:
- EHIC (European Health Insurance Card) identification number
- Name of your health insurance provider
- Identification code of your health insurance provider
We will also process the following special and/or sensitive personal data:
- Questions you have asked in the App and responses to them from us regarding your health (if applicable);
- Any photos that you may upload containing health information and which are traceable to an individual.
Note: You can, of course, choose what you do and do not want to share through the App.
If a Video Consultation is part of the service, we are obliged under the Act on the Use of the Citizen Service Number (BSN) in Healthcare (Dutch: Wgbsn-z) to check and register the patient’s identity and BSN. We are also required to verify the identity of the patient in case of a claim made through the EHIC. We use the data entered in the App for this purpose, record this data, and make it available to the GP. The GP will then ask you, or the person for whom the healthcare request is made, to identify yourself during the Video Consultation by showing the requested ID to the camera. In the case of a Video Consultation, we will therefore process the following personal data (in addition to the BSN):
- ID type (driving licence/ID card/passport);
- Identity document number.
2. What we use the personal data for
Medicinfo processes personal data for the following purposes:
- to implement the various services offered, especially the provision of tailored information or advice;
- to communicate medical information to one’s own GP (if permission is granted);
- to make a claim for the transaction performed;
- to analyse the use of the App in order to improve its functionality;
- to improve the quality of our services.
And, in the case of a Video Consultation:
- to establish the identity and BSN of the patient in the context of the Dutch Wgbsn-z.
3. The legal basis for data processing
Medicinfo may only process personal data if there is a legitimate legal basis for doing so. This legal basis, in the case of this App, is that you have given your explicit consent to Medicinfo processing your data, or the data of someone you legally represent, when using the services upon installing the App (by agreeing to this privacy statement).
4. Where we store personal data and how long we retain personal data
The personal data we process is stored on servers hosted in Europe.
Medicinfo does not retain personal data longer than strictly necessary to achieve the goals for which the data is collected. Our retention periods are:
- 6 months, if the data is only used for the purposes of improving the quality of our
- 20 years, if the data is part of a treatment relationship and thus falls under the mandatory minimum retention period for medical records.
After the expiration of the retention period, the data will be deleted or adequately anonymised.
5. The parties with whom we may share personal data
Medicinfo never sells the data to third parties and will only provide it to others if necessary for the provision of services or to comply with a legal obligation.
The Medicoo Service is performed entirely under the responsibility of Medicinfo. If other parties are involved in implementation (e.g., by hosting the applications that register the personal data), Medicinfo has entered into a processor agreement with these parties that sets out the requirements for the implementation of the service. Your medical questions are answered at Medicinfo by nurses and doctors registered in the BIG-register. Medicinfo staff have all signed confidentiality agreements.
Medical information related to your healthcare needs may be shared with your own GP, but only if you do not object to this. When you have a Video Consultation with a GP, Medicinfo passes the previously listed ID information to the GP who will be doing the Video Consultation with you.
Data may be shared with researchers in order to research the use or operation of the
service. Anonymised data will always be used for this purpose, or else only after explicit permission has been obtained.
If a health insurance provider allows you to use the Medicoo Service, they will never be able to learn of medical information that can be traced to individual persons and that is processed through the App or the underlying service. Medicinfo may provide data about the use of the service with the party concerned, but this does not include personal data and it certainly never contains medical information that can be traced back to individual persons.
If the Medicoo Service is offered by your own GP, GP practice, or a medical centre, then the service is provided in collaboration with this party. In some situations, this party may take an active role in the service itself and may therefore have access to your medical records. In some cases, the party has no active role but will be informed through a consultation report, though only if you do not personally object to this. When a claim for the transaction performed is declared to your own foreign health insurance provider (via EHIC), they will, of course, be able to see the transaction performed for which reimbursement has been requested.
6. What are your rights and how can you exercise them?
Accessing and correcting your personal data
You have the right to access your personal data that we process and to see what we use it for. You can view the data on your phone via the installed App. You may also want to see what information Medicinfo has recorded about you. You can submit a request to do so. Please specify the information you would like to receive and why. You also have the right to correct your personal data if the data we process about you is incorrect.
You may only use this service if you have given your explicit consent based on the Privacy Statement when installing the App. You can always revoke your consent but taken together with the overall agreement for the App, this will terminate your use of the service. You can then remove the App from your device yourself.
Please note that withdrawing your consent is not retroactive and therefore does not affect processing operations that have already been carried out.
Deleting your personal data
You have the right to ask us to delete your personal data. If, for example, the
personal data is no longer needed for the purposes for which we collected/processed it, or if you withdraw your consent regarding the use of your personal data. In your request, please state which data you would like removed and why.
You have the right to receive the personal data we process from us in a
structured, standard, and machine-readable form, if such personal data has been provided to us by you or on your behalf and has been used by us in automated systems.
Exercising your rights
If you wish to invoke any of the rights above, you may submit a request to the Medicinfo DPO using the contact details provided. We will respond as soon as possible within one month at the latest. If responding to your request will take more time, we will also inform you of this within one month.
To ensure that the request to access, correct, or delete data has been made by you, we will contact you and ask for confirmation. In doing so, we may ask you to show proof of identity to verify that it is indeed your data.
7. Personal data security
Medicinfo takes the protection of data very seriously and takes appropriate measures to prevent misuse, loss, unauthorised access, unwanted disclosure, and unauthorised changes. Medicinfo organises its information security through an Information Security Management System (ISMS) and is ISO27001 and NEN7510 certified.
All employees of Medicinfo and employees of any processors involved who may have access to your data have been screened, have a positive certificate of good conduct (VOG) and have signed a confidentiality agreement. All nurses and doctors are also bound by medical confidentiality through their registration in the BIG-register.
If you feel that your data has not been properly secured after all, or if there are indications of misuse, please contact the Medicinfo DPO immediately.
Medicinfo has appointed a Complaints Officer and established a complaints protocol. If you have a complaint regarding our services, you can address it to the Complaints Officer at:
- Postal address: Medicinfo, Attn: Complaints Officer, Dr Anton Philipsweg 31, 5026 RK, Tilburg
- Email address: email@example.com
Upon receipt of your complaint, the Complaints Officer will inform you of how your complaint will be further handled. If your complaint has not been managed satisfactorily by Medicinfo, the complaints protocol indicates how to proceed. Medicinfo is affiliated with a disputes committee for such cases. If applicable, the complaints protocol will be sent to you by the Complaints Officer, but it can also be found on the Medicinfo website.
If your complaint pertains specifically to the processing of your personal data, you may also direct your complaint to Medicinfo’s DPO, with the option to escalate it via www.autoriteitpersoonsgegevens.nl.
About this Privacy Statement
Medicinfo may change this Privacy Statement. This is allowed, for example, when there is a change to the laws or regulations, or if we change a process or develop new products or services. You will always find the latest version in the App.