Privacy statement

This Privacy statement applies to the statutory health insurance (public health insurance) and the supplementary health insurance from Coöperatie Salland Zorgverzekeraar U.A. (hereinafter to be referred to as Salland). HollandZorg is part of Salland Zorgverzekeraar.

Personal data

This privacy statement applies to the use of personal data by Coöperatie Salland U.A (hereinafter referred to as Salland) for the implementation of the health insurance (public health insurance) and the supplementary health cover.
Personal data are all data that reveal something about you or your personal situation. Sometimes, the information is not directly about you, but it can be traced back to you. In that case, too, this concerns personal data.
Data about companies are not personal data. However, data about their employees, individual healthcare providers or customers are.
Salland treats your personal data with due care and with this statement wishes to explain to you how we use your personal data. Because health insurers deem it important that they follow the statutory rules correctly, they have included common rules of conduct in the “Gedragscode verwerking persoonsgegevens zorgverzekeraars” (Code of Conduct for the Processing of Personal Data by Health insurers). You will find the current Code of Conduct here. One of the statutory privacy rules is the obligation of transparency about how the personal data of customers are handled. Health insurers do this by providing this Privacy Statement.

This Privacy Statement answers the following questions:
1. What are your personal data used for?
2. How long are your personal data held?
3. What are your rights?
4. In which way can you exercise your rights?
5. How are your personal data protected?
6. How can you get in touch with your health insurer?

This Privacy Statement is subject to change. The most recent version can always be found here. The date of the most recent change is included at the bottom of this statement.

Deventer, 1 april 2024

The main changes compared to the previous version

This privacy statement was readopted when the General Data Protection Regulation came into force. Since then, the statement was supplemented as follows:

When you, the international worker, have taken out group insurance, we will share your personal data with your collectivity on the basis of a legitimate interest. For this exchange, we have carefully weighed up your personal interests against our business interests.

Our privacy statement

1.What are your personal data used for?

To implement the Health Care Insurance Act and the insurance agreement which Salland entered into with its policyholders, personal data are necessary. Specifically to be able to identify you, Salland includes your ‘burgerservicenummer’ (citizen service number) in its administration (a legal obligation).

Salland uses your personal data for various purposes but only if and insofar as that purpose requires this use.

These purposes are:

To assess and accept
To conclude and execute the insurance policy
Commerce and Marketing

Salland may opt to outsource activities. However, Salland always remains responsible for the use of your personal data. Examples of outsourcing would be the activities carried out by VECOZO and Vektis, among other entities, on behalf of health insurers.

VECOZO
Care providers can, for example, consult the current insurance data (basic and/or supplementary health insurance package) of insured parties via VECOZO’s service COV (Controle op Verzekeringsgegevens, i.e. Insurance Data Check) and submit claims digitally to the correct health insurer via VECOZO.

A limited number of employees of health insurers who are specifically authorized to do so can use COV to find out with which health insurer a person is insured.

Vektis
Vektis supports healthcare professionals, patient organizations and government parties in improving healthcare and keeping good healthcare accessible and affordable in the Netherlands.

Vektis carries out analyses of claim details for health insurers and provides these data to third parties on behalf of health insurers, often for scientific research or to comply with a statutory obligation.

This paragraph will discuss parts I to III in more detail.

To assess and accept

Salland uses your personal data to check whether you are subject to compulsory insurance for the basic healthcare insurance. The principle of the basic health insurance is that every person who is subject to compulsory insurance is accepted, which is laid down in the Health Care Insurance Act.
For supplementary health cover, personal data regarding somebody’s health are requested in the context of underwriting policy so as to assess whether the insurance policy that somebody applies for may be concluded. The data are assessed under the responsibility of the medical adviser. This assessment may result in the applicant receiving an offer that differs from what he or she applied for.

Automated processing of applicationYour details are processed automatically when you apply for a basic health insurance or supplementary health cover. This is based on the data you entered in the (electronic) application form.

In the case of your application for supplementary health cover, this may also concern health data. The result will either be the conclusion of the insurance policy or the rejection of your application.

You can always contact Salland and submit a query or lodge a complaint regarding the automated processing of your application. The question or complaint is examined by a Salland employee.
Conclusion and execution of the insurance
Salland needs your personal data for concluding and executing the basic health insurance and supplementary health cover. To execute these insurance policies, we also need information about your health.

Among other things, the implementation of the insurance policy covers the following: establishing whether you are entitled to (reimbursement of expenses related to) care, paying the healthcare provider, paying reimbursements to you, collecting the premium, providing the service to you, establishing personal contributions and compulsory and voluntary excess, carrying out checks, fighting fraud (including an internal registration system), claiming damages from third parties, including other insurers (for example your travel insurer), the person responsible for the damage or the liability insurer), carrying out research among policyholders into the quality of care, improving service, targeting groups of policyholders with information that is relevant for them, reducing arrears of the policyholder with the health insurer, ensuring that the policyholder no longer owes an administrative premium, processing complaints and disputes and analysing (personal) data for risk management (including controlling healthcare spending) and the purchase of care.

Salland maintains Events Records to ensure the security and integrity of the service and the sector. The Security Affairs Department or another designated department may decide to include the personal data from the Events Records in an IVR (Intern Verwijzingsregister, i.e. Internal Reference Register). Salland only includes personal data of persons or legal entities in the IVR that pose a risk to the safety and/or integrity of the health insurer or the Group to which Salland belongs. If an event meets the criteria of the PIFI (Protocol Incidentenwaarschuwingssysteem Financiële Instellingen, i.e. the Financial Institutions Incident Warning System Protocol), Salland will record the relevant personal data in an Incident Register and, where appropriate, the EVR (Extern Verwijzingsregister, i.e. External Reference Register, mentioned below under ‘Exchange with third parties’).

Exchange with third parties
Your personal data may sometimes be shared with or acquired from third parties. They are never sold to third parties. Examples of sharing information with third parties are:
- CAK: Salland provides your citizen service number and your bank account number to the CAK (Centraal Administratie Kantoor, i.e. Central Administration Office) if you are eligible for reimbursement of the (compulsory) excess. This is a legal obligation.
- Municipal Executive: Salland exchanges personal data with the Executive of the municipality where you live, in order to prevent and reduce debts. This is a legal obligation.
- The External Reference Register is where the personal data are stored of persons whose behaviour has sufficiently been proven to constitute a (potential) threat to the financial interests of (employees of) Salland and its policyholders. The External Reference Register can be accessed by participants in the Protocol Incidentenwaarschuwingssysteem Financiële Instellingen (Financial Institutions Incident Warning System Protocol).
- Basis Registratie Personen (Key Register of Persons): Health insurers obtain personal data from the Basis Registratie Personen.
- The National Terrorism Sanctions List of the Central Government: Health insurers should check whether you are on this list. If you are on the list, this will be reported to De Nederlandsche Bank.
- Other insurer: we sometimes exchange data to recover the costs of claims for damage we have settled or that we have reimbursed, for example, from your travel insurer if they also offer cover in addition to your basic health insurance or supplementary health cover, or from the liability insurer of another person, who is responsible for the damage or costs.
- Healthcare providers with whom Salland has concluded a contract: they will directly charge the costs of care to Salland.
Transfer of personal data to third countries
In the event that Salland wishes to use or makes use of the services of an organization established in a country outside the EEA and consequently a transfer of personal data takes place, Salland will act as follows:
- If a so-called adequacy decision by the European Commission applies to the country in question, this means that the EU is of the opinion that the country guarantees a suitable level of data protection and the transfer of personal data is allowed to go ahead;
- If an adequacy decision does not apply, transfer of personal data shall only take place if appropriate safeguards are in place for the protection of personal data;
- In those cases where appropriate safeguards are impossible, for example the inclusion of the standard contractual clauses as prescribed by the EU in the agreements, transfer of data to a third country shall only be allowed in exceptional circumstances. For example, if you have given permission for this or to initiate, carry out or substantiate a legal action.
Salland also imposes the above-mentioned obligations to organizations to which it outsources work. If such an organization in turn wishes to outsource work to another party, that party must also comply with these conditions.

Information about your health
Information about your health are data that Salland treats with extra care. Salland uses these data to determine whether you are entitled to (reimbursement of expenses related to) care. Insofar this is necessary, details about your health are also used for checks, carrying out investigations into fraud, recovering costs from a third party and analyses for purchasing care and risk management.

Salland's medical adviser is a professional listed in the BIC register (Beroepen in de Individuele Gezondheidszorg, Register of Individual Health Care Professions) as a: doctor, dentist, physiotherapist, obstetrician, nurse, healthcare psychologist, psychotherapist or dispensing chemist.

The medical adviser has a legal obligation of confidentiality. The use of health data is the responsibility of the medical adviser(s). Every employee who uses health data falls under the responsibility of the medical adviser, except with regard to actions of a purely administrative nature, such as processing claims from healthcare providers and forwarding and digitalizing post. The group of employees under the responsibility of the medical adviser is called the ‘functional unit’. The employees in the functional unit and the medical adviser have the same obligation of confidentiality.

Automated processing of authorization application or claim
Your application for authorization moves through the stages of a careful process, where assessment criteria based on the terms and conditions of the insurance are applied to your application. Applying these criteria can be automatic. You will always receive a message stating whether your application has been rejected or approved. It also describes how you can lodge a complaint if you wish.

Claims are usually processed automatically, where assessment criteria based on the terms and conditions of the insurance are applied to your claim.

You have the option of submitting a query or lodge a complaint regarding the automated processing of your claim. The question or complaint is examined by a Salland employee.
Commerce and Marketing

Upon request, Salland provides personal data (including data about health) to the Ministry of Health, Welfare and Sport insofar as this is a statutory requirement, for example because these data are necessary for the implementation of the Zorgverzekeringswet (Health Care Insurance Act) or the WLZ (Wet Langdurige Zorg, Long-Term Care Act).
On its own initiative or upon request, Salland provides personal data (including data about health) to the Zorginstituut (National Health Care Institute) if these data are necessary for the implementation of the Health Care Insurance Act or the Long-Term Care Act, or the mutual alignment of care insured pursuant to the Health Care Insurance Act and care insured pursuant to the Long-Term Care Act, or upon request, for other tasks assigned to the Zorginstituut. This is a legal obligation.
Salland provides personal data (including data about health) to the CIZ (Centrum Indicatiestelling Zorg, i.e. Care Needs Assessment Centre) insofar as these data are necessary for making a care assessment decision with regard to entitlement to care on the grounds of the Long-Term Care Act. This is a legal obligation.
Salland provides personal data to the Dutch Tax Authority insofar as these data are necessary for the implementation of the Health Care Insurance Act or the mutual alignment of care insured pursuant to the Health Care Insurance Act and care insured pursuant to the Long-Term Care Act. This is a legal obligation.
Salland provides personal data to its accountant, including health data (where applicable), insofar as these data are necessary for the implementation of the mandatory audit of the financial statements.
Salland provides personal data to the public prosecution department and the police when and insofar as there is a legal obligation to do so.
Employers or representatives: if you receive a discount on your premium for participating in a group scheme, Salland uses your personal data to check with your employer or representative periodically to see if you are still entitled to this discount.
Zorgkantoren (Healthcare Administration Offices): to prevent that care is being paid for both on the grounds of the WLZ (Long-Term Care Act) and the basic healthcare insurance, and for the mutual alignment of care insured under the health insurance policy and that of the WLZ;
SVB: the SVB receives data from the Healthcare Administration Office for the insured person’s administration as referred to in Article 35 of the Wet structuur uitvoeringsorganisatie werk en inkomen (Work and Income Implementation Organization Structure Act) and the payments charged to the personal budget and the associated budget management;
Salland exchanges personal data with supervisory bodies, for example the Nederlandse Zorgautoriteit (Dutch Healthcare Authority) or the Autoriteit Persoonsgegevens (Dutch Data Protection Authority) if this is necessary in the context of the supervisory duties. This is a legal obligation.
Health insurers frequently receive requests, for example from teaching hospitals, for permission to use personal data (about health) for scientific research or statistical purposes. These data are only provided if and insofar as anonymized data will not suffice, the research is in the public interest and asking for permission was not possible.

Salland uses your personal data to inform you about its other products and services that may be interesting to you. Data about your health (for example claim details) are not used for commercial purposes, unless you have given your express permission for this. Sometimes Salland makes selections from its customer base, for example to recommend a product for a certain target group.

Analysis
Salland uses your personal data for analyses for the benefit of marketing activities. This does not involve the use of information about your health, unless you have given your express permission for this.

Selecting customer groups
Salland uses personal data to compile customer groups for marketing activities and improving its service. A customer group may (also) be based on data obtained from sources outside Salland. Your data will not be used for making an exclusively automated decision which entails legal consequences for you or will significantly affect you in any other way.

Cookies
If you visit the Salland website, Salland may store information on your computer in the form of a cookie. Information on cookies on the Salland website can be found in the Cookie Policy.

2. How long are your personal data held?

Salland holds your personal data for as long as is necessary for the purpose for which Salland initially acquired your data. This means that most data are stored for 7 years (starting from the year following that to which the data relate), with a few exceptions.

These exceptions are:

Insurance policy not taken out
It may be that you applied for insurance with Salland, but you did not actually take it out. Either because you yourself decided not to take out the policy, or because Salland turned down your application. In that case, Salland holds your data for one year after the application. This way, Salland can check your data if you submit another application the following year. It also offers Salland the opportunity to approach you with other possibly interesting products, unless you specify you do not wish to receive such offers.
Upon expiry of your insurance policy
Did you take out an insurance policy but has this expired by now? Then we will store your data for a maximum of 7 years after your insurance policy has expired, alternatively a maximum of 7 years after we received bills from you. We do this on account of the requirement in the Health Care Insurance Act. These data may be used for marketing purposes for a maximum of 2 years, unless you indicated that you do not want this.
Medical data in an investigation
Have we conducted an investigation, for which your medical data were used or are your medical data needed for future investigation? Then we store these data for as long as is necessary to carry out and complete the investigation, and afterwards to secure our rights. For example, to recover payments we made if claims were submitted for care that has not been provided.
Fraud
If we used your data in an investigation into fraud, we hold these data for 8 years after the investigation has been completed.
Recording telephone conversations for training purposes
We can record your telephone conversations with us. We do this to train our staff in order to improve our service. These data are held for 6 weeks.
Termination of insurance policy on account of payment behaviour
If your insurance policy was terminated because you did not pay or did not pay on time, the relevant data will be held for a maximum of 5 years.
Complaints and disputes
If we used your data in connection with complaints and disputes, we hold these data for 2 years after the procedure has been completed.
Risk adjustment
Salland keeps all data of policyholders that are necessary for (the completion of) the risk adjustment, for a period of 15 years from 1 January of the year to which the National Health Care Institute allocates the costs of care.

As a result of the risk adjustment, health insurers with more policyholders requiring expensive care on their books than other insurers will receive financial compensation from the government. This is handled by the National Health Care Institute.

3. What are your rights?

You have a right to access, rectify or erase your personal data, right to restrict their use, the right of their portability, as well as the right to raise objections and to withdraw your consent. Below, you can read what these rights entail. .

Acces
You have the right to access to the personal data that Salland has on you and the information for which it uses those personal data.

In general, the right of access has been ensured safely because via My Salland you can see for yourself which personal data about you are processed (name and address details, insurance details, information about the excess that has been paid and premium payments and healthcare costs).

Perhaps you wish to obtain other specific information as well. You can submit a request to this end. Please state in your request which data you would like to access.

Portability of data
You have the right to obtain your personal data from Salland in a structured, commonly used and machine-readable form, if these personal details have been provided to Salland by you or on behalf of you and have been used by Salland via automated procedures.

Salland may also send your personal details directly to another health insurer if those data are necessary to switch to that other health insurer or if they involve authorizations by Salland to reimburse care costs.

If you want Salland to send your data directly to another health insurer, please indicate this in your request.

Rectification
You are entitled to correct (rectify) inaccurate personal data that relate to you. You are entitled to have incomplete personal data made complete, for example by providing a supplementary statement.

Please state in your request which data need to be corrected and why.

Erasing data
You can ask Salland to erase your personal data if you believe one of the following applies:

Salland no longer needs your personal data
Your data are used by virtue of your consent, but you wish to withdraw your consent
You object to the use of your personal data, as described below
Salland was not allowed to use your personal data
Salland was already required to delete your data by law
Salland uses your data for social media

Please state in your request which data you wish to see erased and why you think Salland is obliged to do so. If your request concerns your insurance, erasing data is often impossible, for example because Salland still needs these data, subject to the applicable retention periods (see part 2).

Restriction
You have the right to insist that the use of your personal data is restricted:

in the period that Salland needs to establish whether your data indeed need to be rectified.
if Salland should not have been allowed to use your personal data, but you do not wish to have those data erased.
in the period that you object to the use of your personal data but have not yet had a response from Salland.
if Salland no longer needs your personal data for its own processing purposes and is therefore not permitted to keep them, you can request that Salland keep these data for longer after all. You can submit this request if you still need your own personal data in order to initiate, carry out or substantiate a legal action. Salland must then retain those data for a longer period but it will not be allowed to use them for its own purposes.

If the use of your personal data is restricted, Salland needs your consent to use these data after all. The following exceptions apply. Your personal data are eligible for use after all:
for the implementation of your health care insurance and supplementary health cover, so that you can remain insured and your bills can be paid by your health insurer;
to initiate, carry out or substantiate a legal action;
to protect the rights of another natural or legal person; or
for reasons of great public interest for the European Union or a member state of the European Union, such as public health.

Please state in your request why Salland was not allowed to use your personal data. Or please add the request for restricting the use of your personal data to a request for rectification or to an objection.

If you invoked not only your right to rectification or objection but also your right to restrict the use of your personal data, the use of your personal data will be reduced in this term.

Objection
You have the right to object to the use of your personal data for direct marketing. If your data are used (but not for direct marketing or the implementation of your insurance policy), you may raise an objection to that, if you have special personal reasons to do so. Please specify in your objection which data are involved and state the reason of your objection.

Please specify in your objection which data are involved and state the reason of your objection.

Consent
If Salland only used your personal data with your consent, then you may withdraw your consent at any time. Withdrawing your consent does not work retrospectively. Withdrawing your consent therefore has no effect on actions already performed.

Please state in your request which consent you wish to withdraw.

4. In which way can you exercise your rights?

If you wish to invoke one of your rights that are mentioned below, you can submit a request to that end to the Data Protection Officer at Salland. You can do this by letter or electronically. We will inform you within one month what we have done with your request. If your request is very complicated, this term may be extended by another two months. If Salland wishes to extend the term, we will inform you accordingly within one month after receipt of your request.

If you disagree with the way your request has been handled, you may lodge a complaint with the Autoriteit Persoonsgegevens (Dutch Data Protection Authority) (or any other European supervisory body). You can also file a petition with the court.

Are you a policyholder and have you taken out basic health insurance for a child? Then you can also invoke the rights stated above (mentioned under 3.) for this child. If the child is 16 years or older, special rules apply. As a policyholder, you are in that case only entitled to the data necessary for taking out the basic health care insurance policy and to gain sufficient insight into the bills to be paid by you. For example, do you request access to the personal data of a child aged 16 or older of which you are the policyholder? Then we can only provide you with the data mentioned above. You can also submit an authorization from the child aged 16 or older that we may provide you with all data. In that case, we will provide you with the data.

5. How are your personal data protected?

Salland has implemented company-wide security measures so as to protect personal data. These measures involve: the organization, the staff, processes, technology and physical protection, and they have been established in Salland’s security policy.

The developments in the world of information security are happening fast. The implementation of the measures is based on internationally applicable standards, such as ISO27002. We periodically check whether our measures are still adequate. This is done by means of risk assessments, internal control plans and by independent audits. Moreover, Salland is directly monitored by various supervisory bodies and the external accountant, and this includes among other things the efficacy of internal control of information security. If Salland deploys third parties in processing personal data, Salland ascertains that the third party has adequate security measures in place, depending on the kind of personal data.

6. How can you get in touch with us?

Privacy statement

Personal data

The main changes compared to the previous version

Our privacy statement

Couldn't find what you were looking for?

Healthcare

Service

Information

Do it yourself