Use of personal data

This privacy statement applies to ZEM's use of personal data in executing the ZEM Polis basic healthcare insurance and AV-ZEM supplementary insurance. ZEM is a brand operated by Zorg en Zekerheid.

Personal data are all data that directly or indirectly say something about you or about your personal situation. Sometimes the information is not strictly about you, but can be traced to your person. Such information also qualifies as personal data.

This does not include data on companies. However, it does include the data companies hold about their employees, individual care providers and customers.

Zorg en Zekerheid processes your personal data with great care and has issued this statement to explain how it uses your data. Healthcare insurers attach great importance to complying with statutory rules and regulations. This is why they have included joint rules of conduct in theirCode of Conduct for the Processing of Personal Data by Healthcare Insurers. You can find the current Code of Conduct here: Code of Conduct for the Processing of Personal Data by Healthcare Insurers. One of the statutory privacy rules is transparency. Healthcare insurers therefore provide clarity in this privacy statement about how they handle your personal data.

IThis privacy statement provides answers to the following questions:

1. What do we use your personal data for?
2. For how long do we retain your personal data?
3. What are your rights?
4. How can you exercise your rights?
5. How are your personal data protected?
6. How to contact your healthcare insurer?

1. What do we use your personal data for?

We need to process personal data in order to be able to comply with the Healthcare Insurance Act and implement the insurance agreements that Zorg en Zekerheid enters into with insured persons. Zorg en Zekerheid includes your citizen service number in its records for the specific purpose of identifying you as an insured person (this is a statutory obligation).

Zorg en Zekerheid also uses your personal data for various other purposes, but only to the extent required for each purpose.

These purposes are:

I. Assessment and acceptance
II. Entering into and executing insurance contracts
III. Commerce and Marketing

Zorg en Zekerheid may decide to outsource certain activities. However, Zorg en Zekerheid will always remain responsible for the use of your personal data. Examples of outsourced activities include those performed by parties such as VECOZO and Vektis on behalf of healthcare insurers.

VECOZO

For example, through VECOZO's Insurance Data Monitoring Service (COV), care providers can view the current insurance status (basic healthcare insurance (zorgverzekeringspakket) and/or supplementary insurance) of insured persons. In addition, they can submit electronic claims with the right healthcare insurer via VECOZO. A limited number of employees of healthcare insurers, who are specifically authorised to do so, can check via COV through which healthcare insurer a person is insured.

Vektis

Vektis supports healthcare professionals, patients’ associations and government bodies in their efforts to improve care and maintain an accessible and affordable high-quality healthcare system in the Netherlands. Vektis analyses expense claims data for healthcare insurers and provides these data on behalf of healthcare insurers to third parties, often for scientific research or to comply with a statutory obligation.

We will provide more details for each of these purposes below.

I. Assessment and acceptance

Zorg en Zekerheid uses your personal data to check whether you are subject to compulsory basic insurance. Pursuant to the Healthcare Insurance Act, every person subject to compulsory insurance must be accepted for basic insurance.

Automated processing of applications

When you apply for basic or supplementary healthcare insurance, your data will be processed in an automated system. We will do so on the basis of the data you have entered in the electronic application form.

If you have a question or wish to submit a complaint about the automated processing of your application, please contact Zorg en Zekerheid. A Zorg en Zekerheid employee will then assess your question or complaint.

II. Entering into and executing insurance contracts

Zorg en Zekerheid needs your personal details to enter into and execute basic insurance and supplementary healthcare insurance contracts. For this purpose, we also need data about your health.

Executing the insurance contract covers the following actions: determining whether you are entitled to (reimbursement of the costs of) care, making payments to the care provider, paying reimbursements to you, collecting insurance premiums, providing services to you, determining the amount of your personal contribution and your voluntary and compulsory excess, performing checks, combating fraud (and maintaining an internal registration system for that purpose), recovering damages from third parties including insurers such as your travel insurer, the person responsible for the damages or the liability insurer, conducting surveys among insured persons as to the quality of care, improving services, providing groups of insured persons with targeted information, reducing premium payment arrears of policy holders with healthcare insurers, taking action to ensure the policy holder no longer owes premiums under administrative law, handling complaints and disputes, and analysing personal (and other) data for risk management purposes (including care expenditure control) and care purchasing.

Zorg en Zekerheid maintains an Events Register to safeguard the security and integrity of its services and the sector. The Security Affairs Department or another department designated for this purpose may decide to include the personal data from the Events Register in an Internal Reference Register (IVR). In the IVR, Zorg en Zekerheid only includes personal data of legal entities that pose a risk to the safety and/or integrity of the healthcare insurer or the Group to which Zorg en Zekerheid belongs. If a particular event meets the criteria of the Protocol for Insurers and Criminality and the Incident Warning Protocol for Financial Institutions (PIFI), Zorg en Zekerheid will include the personal data concerned in an Incidents Register and, where relevant, in the External Reference Register (EVR, see ‘Exchanging data with third parties’ below).

Exchange with third parties

Your personal data is sometimes shared with or obtained from third parties. We never sell your personal data to third parties. Third parties with which we may exchange personal data include:

• CAK (Central Administration Office for Exceptional Medical Expenses): Zorg en Zekerheid will disclose your citizen service number and your bank account number to CAK if you qualify for reimbursement of your (compulsory) excess. We are under a statutory obligation to do so.
• Municipal Executive: Zorg en Zekerheid exchanges personal details with the Municipal Executive of the municipality where you live in order to prevent and reduce debt. We are under a statutory obligation to do so.
• Ministry of Health, Welfare and Sport: Zorg en Zekerheid provides personal data (including health data) to the Ministry of Health, Welfare and Sport on request to the extent that this is a statutory obligation, for example because these data are necessary for the implementation of the Healthcare Insurance Act or the Long-term Care Act.
• Health Care Institute: Zorg en Zekerheid provides personal data (including data on health) to the Health Care Institute on its own initiative or upon request if these data are necessary for the implementation of the Healthcare Insurance Act or the Long-term Care Act or the mutual coordination of care insured under the Healthcare Insurance Act and care insured under the Long-term Care Act or, after a request, for other tasks assigned to the Health Care Institute. We are under a statutory obligation to do so.
• Care Needs Assessment Centre (CIZ): Zorg en Zekerheid provides the CIZ with personal data, including data on health, to the extent that these data are necessary for taking a special needs decision for entitlement to care under the Long-Term Care Act. We are under a statutory obligation to do so.
• National Tax Administration: Zorg en Zekerheid provides personal data to the National Tax Administration insofar as this is necessary for the implementation of the Healthcare Insurance Act or for the mutual reconciliation of care insured under the healthcare insurance and care insured under the Long-term Care Act. We are under a statutory obligation to do so.
• Auditor: Zorg en Zekerheid provides its auditor with personal data, including (possibly) personal data about health, to the extent that these data are necessary for the performance of the mandatory audit of the financial statements.
• Public Prosecution Service and police: Zorg en Zekerheid provides the Public Prosecution Service and the police with personal data when and to the extent that there is a statutory obligation to do so.
• Employers or representative agents: If you receive a premium discount because you participate in a group scheme, Zorg en Zekerheid will use your personal data to periodically check your continued entitlement to the discount with your employer or representative agent.
• Care Administration Offices: To prevent healthcare costs being paid both under the Long-Term Care Act (Wlz) and under basic insurance, and to ensure effective coordination of care insured under the healthcare insurance and the Wlz.
• SVB (Social Insurance Bank): The SVB receives data from the Care Administration Office for the purpose of keeping the records of insured persons as referred to in Section 35 of the Work and Income (Implementation Organisation Structure) Act (Wet SUWI) and for payments from the personal care budget and the associated budget management.
• Regulators: Zorg en Zekerheid exchanges personal data with supervisory authorities (such as the Dutch Healthcare Authority and the Dutch Data Protection Authority) to the extent required for their supervisory tasks. We are under a statutory obligation to do so.
• Scientific research: Healthcare insurers regularly receive requests, for example from university medical centres, for permission to use (health-related) personal data for scientific research or statistics. Personal data will only be made available if and to the extent anonymous data will not suffice, if the research serves the general interest and if it was impossible to ask for permission.
• External Reference Register: We also have an External Reference Register, which includes the personal data of individuals whose conduct has sufficiently proved to pose an actual or potential threat to the financial interests of Zorg en Zekerheid, its employees or its insured persons. Information in the External Reference Register is available to participants in the Incident Warning System (Financial Institutions) Protocol.
• Key Register of Persons: Healthcare insurers obtain personal data from the Key Register of Persons.
• The National Terrorism Sanctions List of the Central Government: Healthcare insurers must check whether you are on this list. If you are on the list, this will be reported to the Dutch Central Bank.
• Other insurers: We sometimes exchange information to recover damage or costs that we have compensated, for example from your travel insurer if it also offers cover in addition to your basic or supplementary insurance, or from the liability insurer of another person who caused the damage or costs.
• Healthcare providers: Care providers contracted by Zorg en Zekerheid charge the costs of the care directly to Zorg en Zekerheid.

Transfer of personal data to third countries

In the event that Zorg en Zekerheid wishes to use or already uses the services of an organisation located in a country outside the EEA, entailing the transfer of personal data, Zorg en Zekerheid shall act as follows:

• If the country is subject to an ‘adequacy decision’ of the European Commission, the EU considers that the country ensures an adequate level of protection and may transfer personal data.
• If there is no adequacy decision, personal data shall be transferred only if appropriate safeguards are provided for the protection of personal data.
• In cases where appropriate safeguards cannot be provided, for example including the standard contractual provisions as prescribed by the EU in the agreements, transfer to a third country is only permitted in exceptional cases. For example, if you have given permission for such transfer or for the establishment, exercise or substantiation of a legal claim.

Zorg en Zekerheid also imposes the above obligations on organisations to which work has been outsourced. If, in turn, such an organisation wishes to outsource activities, that party must also meet these conditions.

Your health information

Zorg en Zekerheid takes particular care when handling data about your health. We use such data to determine whether you are entitled to (reimbursement of the costs of) care. To the extent required, we also use health-related data to check information, to investigate cases of fraud, to recover costs from third parties and to conduct care purchasing and risk management analyses.

Zorg en Zekerheid's medical adviser is a physician, dentist, physiotherapist, obstetrician, nurse, healthcare psychologist, psychotherapist or pharmacist included in the Individual Healthcare Professions Act (BIG) Register.

The medical adviser is bound to a statutory duty of confidentiality. The medical adviser is / medical advisers are responsible for the use of health-related data. This includes the use of health-related data by any employee, except as regards purely administrative actions such as the processing of claims submitted by care providers and forwarding and digitising mail. The group of employees that come under the responsibility of the medical adviser is known as the ‘functional unit’. The employees that form part of the functional unit are bound to the same duty of confidentiality as the medical adviser.

Automated processing of authorisation request or declaration

Your authorisation request goes through a careful process, in which assessment criteria based on the insurance conditions are applied to your request. These criteria may be applied as part of an automated system. You will be notified about the acceptance or rejection of your application. That notification also includes instructions on how to submit a complaint, should you wish to do so. Claims are normally processed in an automated system that includes the use of assessment criteria based on the applicable insurance conditions. You always have the opportunity to submit a question or complaint in connection with the automated processing of your claim. A Zorg en Zekerheid employee will then examine your question or complaint.

III. Commerce and Marketing

Zorg en Zekerheid uses your personal data to inform you and to bring its other products and services to your attention. We never use data about your health (such as claims-related data) for commercial purposes unless you have given explicit consent. Sometimes Zorg en Zekerheid selects specific customers from its customer file, for example in order to promote a product among a particular target group.

Analysis

Zorg en Zekerheid uses your personal data for analyses for marketing activities. Data about your health will not be used unless you have given your explicit consent.

Selecting customer groups

Zorg en Zekerheid uses personal data to compose customer groups for the purposes of marketing activities and service improvement. Customer groups can also be created on the basis of data obtained from sources outside of Zorg en Zekerheid. Your data will not be used for automated decisions that entail legal consequences for you or affect you in any other significant manner.

Cookies

When you visit the Zorg en Zekerheid website, we may store information on your computer in the form of a cookie. For more information about cookies on the Zorg en Zekerheid website, please read our Cookie Statement (in Dutch).

Camera Surveillance

Finally, Zorg en Zekerheid uses camera images recorded inside its buildings and on its premises so as to guard your property and ours.

2. For how long do we retain your personal data?

Zorg en Zekerheid will retain your personal data for as long as we need them for the purpose for which we originally obtained them. This means that we will retain most data for seven years (counting from the year after the year to which they relate), with the following exceptions:

• No signed insurance contract: It may be the case that you applied for insurance from Zorg en Zekerheid but have not actually entered into an insurance contract. You may have decided yourself not to take out the insurance, or perhaps Zorg en Zekerheid refused it. In such cases, Zorg en Zekerheid will retain your data for one year following the application. This enables Zorg en Zekerheid to check your data in the event that you submit another application the next year. In addition, it enables Zorg en Zekerheid to introduce you to other products you may be interested in, unless you have expressly stated that you do not want us to do so.
• After termination of your insurance: If you have taken out insurance, but have terminated it in the meantime, we will retain your data for a maximum of seven years after termination of your insurance or after receipt of your last bill. We do so in part in compliance with the Healthcare Insurance Act. We are permitted to use those data for marketing purposes for up to two years, unless you have expressly indicated that you do not want us to do so.
• Research involving medical data: If we have used your medical data in the context of a study or we need your data for a future study, we will retain your data for as long as is necessary to carry out and complete the study and, after that, to secure our rights, for example to recover claims in connection with care that was claimed but never provided.
• Fraud: After using your data as part of an investigation into fraud, we will retain such data for a period of eight years after the end of the investigation.
• Recording telephone calls for training purposes: We can record your telephone calls with us. We do this in order to train our employees and thus improve our services. We retain this data for 4 months.
• Termination of insurance due to payment behaviour: if your insurance was terminated due to your failure to pay (or pay in time) any amount owed, we will retain the relevant data for five years at most.
• Objections or complaints: In the event that we used your data within the context of a complaint or dispute, we will retain them for a period of 5 years after concluding the relevant complaints handling or dispute settlement procedure.
• Risk adjustment: Zorg en Zekerheid retains all data of insured persons that are required for the risk adjustment for 15 years as from 1 January of the year to which the Health Care Institute allocates the costs of care. As a result of the risk adjustment, healthcare insurers that have more insured persons with high healthcare costs receive financial compensation from the government. This is carried out by the Health Care Institute.

3. What are your rights? 

You have the right to inspect, rectify, erase or limit the use of your personal data, to claim the portability of your personal data, and to object to, and withdraw your consent for, the use of your personal data. Below we will explain what these rights entail.

Right of inspection

You have the right to inspect your personal data held by Zorg en Zekerheid and to inspect the information for which we use those personal data. Generally speaking, we have safeguards in place to ensure the right of inspection by enabling you to personally view, via MijnZZ, which of your personal data are processed (name and address details, insurance details and information about excess, premiums and healthcare costs paid). In addition to that, you may want to have access to other, specific information. If so, please submit a request to that effect, specifying the data you wish to inspect.

Data portability

You have the right to receive your personal data from Zorg en Zekerheid in a structured, commonly used and machine-readable format if those data were provided to Zorg en Zekerheid by you or on your behalf and Zorg en Zekerheid used them by automated means. Zorg en Zekerheid may also send the personal data directly to another healthcare insurer in the case of data you need to switch to that other healthcare insurer or in the case of care reimbursement authorisations issued by Zorg en Zekerheid. If you wish Zorg en Zekerheid to send your data directly to another healthcare insurer, please make sure to say so in your request.

Rectification

You have the right to rectify any personal data concerning you that are incorrect. You have the right to have incomplete personal data completed, for example by means of providing a supplementary statement. In your request, please specify the data to be rectified and why they must be rectified.

Erasure

You can ask Zorg en Zekerheid to erase your personal data if you believe that one of the following grounds applies:

• Zorg en Zekerheid no longer needs your personal data;
• Your data are being used on the basis of your specific consent, and you decide to withdraw your consent;
• You object, in the manner described below, to the use of your personal data;
• the use by Zorg en Zekerheid of your personal data was unlawful;
• Zorg en Zekerheid was under a statutory obligation to erase your data;
• Zorg en Zekerheid uses your data for social media purposes.

In your request, please specify the data you wish to have erased and why you believe that Zorg en Zekerheid should do so. If your request concerns your insurance, it will often prove impossible to erase your data because Zorg en Zekerheid needs them, with due regard for the applicable retention period (see section 2).

Limitation

You have the right to demand that the use of your personal data is limited:

• During the period that Zorg en Zekerheid needs to confirm that your data need to be corrected;
• If Zorg en Zekerheid unlawfully used your personal data but you do not wish them to be erased;
• During the period in which you are awaiting a response from Zorg en Zekerheid after objecting to the use of your personal data.

If Zorg en Zekerheid no longer needs your personal data for its own processing purposes and may therefore no longer retain them, you can request Zorg en Zekerheid to retain these data for longer. You can submit this request if you still need your own data to lodge, exercise or substantiate a legal claim. Zorg en Zekerheid must then retain this data for longer, but may no longer use it for its own purposes.

If the use of your personal data is subjected to limitations, Zorg en Zekerheid will not be permitted to use them without your consent. There are a number of exceptions to this rule. Your personal data may still be used:

• To ensure the proper performance of your healthcare insurance and supplementary healthcare insurance, so that you remain insured and your healthcare insurer will continue to be able to pay your bills;
• To establish, exercise and defend a legal claim;
• To protect the rights of another person or legal person; or
• For reasons of significant public interest for the European Union or a Member State of the European Union, for example in the area of public health.

In your request, please explain why Zorg en Zekerheid should not have used your personal data. Alternatively, you can enclose the request for limitation on the use of your personal with a request for rectification or an objection.

If you submitted a demand for limitation on the use of your personal data along with your demand for rectification or your objection, the use of your personal data will be limited during this period.

Objection

You have the right to object against the use of your personal data for the purposes of direct marketing. If your data are used for purposes other than direct marketing or performance of your insurance contract, you are entitled to object if you have special personal reasons to do so. In your objection, please specify the data concerned and your reasons for objecting.

Consent

If Zorg en Zekerheid only uses your personal data with your consent, you may withdraw your consent at any time. Withdrawal of your consent has no retroactive effect. This means that it will not have any consequences for actions that have already been performed.

In your request, please specify the consent that you wish to withdraw.

4. How can you exercise your rights?

If you wish to claim one of the rights specified below, please submit a request to that effect to the Data Protection Officer at Zorg en Zekerheid. You can do so by letter or email, for example. We will let you know within one month how we have handled your request. If your request is particularly complex, we may extend this deadline by another two months. If Zorg en Zekerheid wishes to extend the deadline, we will let you know within one month following receipt of your request.

If you do not agree with the handling of your request, you can file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) (or any other European supervisory authority). Alternatively, you can submit a notice of request to the court.

Are you a policyholder and have you taken out basic insurance for a child? In that case you can also invoke the rights mentioned under 3. above in respect of the child. Note however that special rules will apply once the child turns 16. From then on, as a policyholder you are only entitled to the data needed to take out the basic insurance policy and maintain an overview of the invoices payable by you. For example, when you request access to the personal data of a child aged 16 or older for whom you are the policyholder, we will only be able to provide you with the data specified above. We can provide access to all personal data only if you are able to submit an authorisation to that effect signed by the child aged 16 or older.

5. How are your personal data protected?

Zorg en Zekerheid has implemented company-wide security measures to protect your personal data. These measures concern the organisation, its employees, processes, technology and physical security and are laid down in the Zorg en Zekerheid Security Policy.

The world of information security is developing at a rapid pace. We have designed our security measures with due regard for the relevant international standards, such as ISO standard ISO 27002. We periodically check whether the measures imposed are still effective. We do so by carrying out risk analyses, implementing internal control plans and commissioning independent audits. In addition, Zorg en Zekerheid comes under the direct supervision of various supervisory bodies and the external auditor, with supervisory tasks focusing on, among other things, the functioning of internal control measures for information security.

If Zorg en Zekerheid engages third parties in the processing of personal data, Zorg en Zekerheid will verify that they have implemented sufficient security measures appropriate to the type of personal data concerned.

6. How to contact your healthcare insurer?

If you have any questions, please do not hesitate to contact Zorg en Zekerheid.

Please address your question to the Data Protection Officer. Send your email to privacy@zorgenzekerheid.nl

This privacy statement is subject to change. You will always find the most recent version here. The date of the most recent amendment is shown at the bottom of this statement.

Leiden, 27 December 2024