Privacy statement patients

NKI processes the following personal data, among others:

• Name, first name(s), initials, titles, social security number (BSN), gender, date of birth, address, postal code, place of residence, telephone number, email address, bank account number;
• Administration number;
• The data mentioned under the first bullet belonging to your family members, as far as necessary;
• The data mentioned under the first bullet of other involved parties who need to be informed about your health and well-being, as far as necessary;
• Data concerning your health;
• Data concerning the health of your family members in case of hereditary disorders;
• Other special categories of data, for example data revealing your ethnic origin, religion or beliefs, or data concerning your sexual life that is essential for your treatment or care;
• Data concerning your previous and current treatment, including imaging and body materials, drugs or provisions;
• Data concerning the calculation, registration and collection of payment;
• Data concerning your insurance;
• Other data necessary to the practice of the profession as outlined in the Dutch Individual Health Care Professions Act (Wet op de Beroepen in de individuele gezondheidszorg; Wet BIG);

We process contact details, such as names and email addresses, of other parties involved. These parties include contact persons newsletters subscribers, training participants, volunteers and suppliers.

We process the IP-address of all NKI visitors who use our Wi-Fi network, including the hostname (the name you gave the device), MAC address, the moment you connected and were given a local IP, all websites visited and network protocols used.

In addition, camera recordings are taken of NKI visitors.

Personal data of patients

NKI processes personal data of patients in order to perform the medical tasks as defined in the treatment agreement and to provide you the best possible treatment. Your personal data will be stored in an electronic patient record. Personal data will also be processed for quality and safety purposes to give you the best care possible.

NKI also processes your personal data to comply with its legal obligations, as laid down in the Dutch Medical Treatment Contracts Act (Wet op de Geneeskundige Behandelingsovereenkomst, WGBO), Healthcare Quality, Complaints and Disputes Act (Wet kwaliteit, klachten en geschillen zorg, Wkkgz) and Healthcare Insurance Act (Zorgverzekeringswet, Zvw).

In addition, personal data are processed in order to calculate, register and collect treatment payment. NKI also processes personal data for the sake of audits, responsible business operations and as part of the physical checks by health insurance providers.

NKI process your personal data, imaging and (remaining) body materials for medical scientific purposes and/or statistical purposes. We only process data that are relevant to the study. Please find an overview of several studies conducted over the past years on our website (https://www.nki.nl).

We also process your personal data for educational purposes, in order to improve care and to handle complaints, disagreements, incidents and calamities. Finally, your personal data will be processed in order to guarantee the continuity and security of our network and for the protection of employees and visitors of the NKI.

Personal data of other parties involved

NKI processes contact details of family members and legal representatives if direct communication with the patient is not possible (temporarily), or because a patient's contact person has been designated as the patient's (legal) representative.

In addition, NKI uses personal data because of participation in a training course offered by NKI or for the purpose of sending a newsletter.

NKI also processes personal data concerning the Wi-Fi network and the pages visited in order to resolve any issues that may arise and to guarantee the continuity and security of our network. NKI uses these data for analytical purposes. We also use Google tracking cookies so we can show you relevant and personalized advertisements based on your browsing history, such as vacancies or interesting events at our institute. Please see our cookie policy for more information.

Finally, NKI processes personal data recorded by cameras at our institute that have been placed for the protection of employees and visitors to the NKI.

• Data processing is necessary for the performance of a contract of which you are part, such as the medical treatment agreement, educational agreement or an agreement with a supplier;
• You have given us explicit consent for the processing of your personal data. This includes registering as a contact person or signing up for our newsletter;
• Data processing is necessary to comply with NKI’s legal obligations;
• Data processing is necessary to protect your vital interests, such as engaging a health care provider in the event of an emergency; 
• Data processing is necessary for the legitimate interests of NKI, such as measures in order to ascertain occupational safety.

We only process your personal data as long as necessary. This means that NKI only retains your personal data if this is necessary to fulfill one of the purposes mentioned above. After that, we will destroy or anonymize your data.  

All data we receive from you as part of the treatment agreement, as well as data we receive from you as a patient’s contact will be added to the patient’s medical record.

We are required by law to keep these medical records for a minimum of 20 years upon the end of the treatment agreement. We can keep these records longer if required by law or if essential for adequate care or treatment.

All data processed for medical scientific purposes and/or for the improvement of our care will be stored as long as required for its research purposes.

All logging details concerning the use of our Wi-Fi network or website visits will be stored for 20 days. All camera recordings will be stored for a maximum of four weeks (unless a crime was recorded, in which case the images will be stored as evidence).

For the performance of the treatment agreement, it may be necessary to involve various healthcare providers at NKI or other healthcare institutions. In that case, your health care provider may provide these healthcare professionals with the data necessary for the patient’s treatment and, consequently, the data of the patient’s contact(s).

Under certain circumstances, data will be shared with third parties for scientific purposes.

Personal data of people who participate in training courses or data of volunteers will only be shared with the supervisors in our institute.

Upon your visit to NKI or AVL websites, third-party services like YouTube may place cookies on your device (with your explicit consent). These third parties will receive your IP address. Please see our cookie policy for more information.

Third parties will also receive your personal data if these must be provided in execution of a law or court order or if necessary to safeguard your vital interest.

NKI may share your research data with parties located in countries outside the European Economic Area (EEA). Before sharing data with these parties, NKI will thoroughly investigate the level of protection of the relevant country. Furthermore, NKI will enter into an agreement with these parties setting out the research purpose for which the personal data may be used, how these data may be processed and what security measures must be taken.

Your IP address will be shared with parties beyond the European Union – including the US – through a cookie placement. We have an agreement with all third parties concerning the purposes for which the data may be used, how all data should be processed and what security measures must be implemented.

We have taken appropriate technical and organizational security measures to protect your personal data from loss or unauthorized use. For example, we secure our systems in accordance with applicable information security standards and we have established relevant agreements with all our service providers.

Within NKI, personal data are only accessible to employees who need this access to perform their work. In the context of the treatment agreement, this includes your health care provider, but also employees of the financial administration. All employees are obliged to maintain confidentiality.

As far as possible, your personal data will be pseudonymized or completely anonymized for medical scientific research and/or the improvement of care. Once anonymized, it is no longer possible to find out whose personal data have been processed.

Automated individual decision-making and profiling is not applicable.

The General Data Protection Regulation (GDPR) states that you can exercise a number of rights in relation to your data. Some of these rights cannot be fully called upon, if doing so would harm your health or the health of another person. Please find a brief clarification of your rights below.

1. Right of access. You can view your patient file and request a copy.  
2. Right to data portability. You can request NKI to send other organizations the personal data you have provided digitally. This includes data entered in ‘MijnAVL’.
3. Right to rectification. You can request NKI to change your personal details if it is incorrect or outdated.
4. Right to object. You can object to the processing of your personal data.  
5. Right to erasure. You may ask NKI to destroy your patient record or part of it. However, we cannot comply with your request in all cases. For example, we are unable to fulfill your request if this would harm your own interest or the interest of third parties. We cannot delete personal data either that need to be processed by law.  

To exercise your rights, please contact us at privacy@nki.nl. We will ask you for identification in response to your request.

NKI is committed to protecting your personal data to the fullest extent possible. If you have any questions about the processing of your personal data, please contact our Data Protection Officer at privacy@nki.nl or our Patient Information Center in the central hall of our institute (Plesmanlaan 121 in Amsterdam), or call +31 (0)20 - 512 9111.

If you have a complaint about the protection of your personal data, you can discuss this with your health care provider. You can also contact the NKI complaints officers or the Data Protection Officer at the email address mentioned above. In addition, you can file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens; Dutch DPA).

NKI reserves the right to change this Privacy Statement at any time. We recommend that you consult this statement regularly.