To implement the Healthcare Act and the insurance agreement which Salland entered into with its policyholders, personal data are necessary. Specifically to be able to identify you, Salland includes your BSN (citizen service number) in its administration (a legal obligation).
Salland may opt to outsource activities. However, Salland always remains responsible for the use of your personal data. Examples of outsourcing in this context would be the activities carried out by VECOZO and Vektis on behalf of healthcare insurers.
(For example, VECOZO enables healthcare providers to submit digital claims to the appropriate healthcare insurer. Vektis provides the health insurance sector in general and individual healthcare insurers with statistical and actuarial information to support policy processes.)
Salland uses your personal data for various purposes only if and insofar as that purpose requires this use.
These purposes are:
I. To assess and accept
II. To conclude and execute the insurance policy
III. Commerce and Marketing
Salland may opt to outsource activities. However, Salland always remains responsible for the use of your personal data. Examples of outsourcing in this context would be the activities carried out by Vecozo and Vektis on behalf of healthcare insurers.
Care providers can, for example, consult the current insurance data (public and/or supplementary health insurance package) of insured parties via VECOZO’ Insurance Data Check (COV) service. In addition, they can submit digital claim forms via VECOZO to the appropriate health insurer. Vektis supports healthcare professionals, patient organisations and government parties in improving healthcare and keeping good healthcare accessible and affordable in the Netherlands. Vektis analyses claim data for health insurers. Sometimes, Vektis provides this data to third parties on behalf of health insurers, often for scientific research or to comply with a statutory obligation.
This paragraph will discuss parts I to III in more detail.
I. To assess and accept
Salland uses your personal data to check whether you are subject to compulsory insurance for the public health insurance. The principle for the public health insurance is that every person who is subject to compulsory insurance is accepted, which is laid down in the Healthcare Insurance Act.
For supplementary health insurance, personal data regarding somebody’s health are requested in the context of underwriting policy so as to assess whether the insurance policy that somebody applies for may be concluded. The data are assessed under the responsibility of the medical adviser. This assessment may result in the applicant receiving an offer that differs from what he or she applied for.
Automated processing of application
Your details are processed automatically when you apply for a public health insurance or supplementary health insurance. This is based on the data you entered in the (electronic) application form.
In the case of your application for supplementary health insurance, this may also concern health data. The result will either be the conclusion of the insurance policy or the rejection of your application.
You can always contact Salland and submit a query or lodge a complaint regarding the automated processing of your application. The question or complaint is examined by an Salland employee.
II. To conclude and execute the insurance policy
Salland needs your personal data for concluding and executing the public health insurance and supplementary health insurance. To execute these insurance policies, we also need information about your health.
Among other things, the execution of the insurance policy covers the following: establishing whether you are entitled to (reimbursement of expenses related to) care, paying the healthcare provider, paying reimbursements to you, collecting the premium, providing you with a service, establishing personal contributions and compulsory and voluntary excess, carrying out checks, fighting fraud (including an internal registration system), claiming damages from third parties, including insurers (such as your travel insurer), the person liable for the damage or the liability insurer, carrying out research among policyholders into the quality of care, improving service, targeting groups of policyholders with information that is relevant for them, reducing arrears of the policyholder with the healthcare insurer, ensuring that the policyholder no longer owes an administrative premium, processing complaints and disputes and analysing (personal data) for risk management (including controlling healthcare spending) and the purchase of care.
Salland maintains an Events Record to ensure the security and integrity of the service and the sector. The Security Affairs Department or another designated department may decide to include the personal data from the Event Record in an Internal Reference Register (IVR). Salland only includes personal data of persons or legal entities in the IVR that pose a risk to the safety and/or integrity of the health insurer. If an event meets the criteria of the Incident Financial Institutions Incident Warning System Protocol (PIFI), Salland will record the relevant personal data in an Incident Register and, where appropriate, the External Reference Register (EVR, mentioned below under ‘Exchange with third parties’).
Exchange with third parties
Your personal data may sometimes be shared with or acquired from third parties. They are never sold to third parties. Examples of sharing information with third parties are:
- Salland provides your citizen service number and your bank account number to the CAK (Centraal Administratie Kantoor, Central Administration Office) if you are eligible for reimbursement of the (compulsory) excess. This is a legal obligation.
- Salland exchanges personal data with the Municipal Executive of the municipality where you live in order to prevent and reduce debts. This is a legal obligation.
- Employers or representatives: if you receive a discount on your premium for participating in a group scheme, Salland uses your personal data to check with your employer or representative periodically to see if you are still entitled to this discount.
- Salland exchanges personal data with Zorgkantoren (Healthcare Administration Offices) to prevent that care is being paid for both on the grounds of the WLZ (Wet Langdurige Zorg, the Dutch Long-Term Care Act) and the public health insurance, and for the mutual alignment of the care insured under the health insurance policy and the WLZ;
- SVB: the SVB receives data from the Care Office for the insured person’s administration as referred to in Article 35 of the Work and Income (Implementation Organisation Structure) Act and the payments charged to the personal budget and the associated budget management;
- Salland exchanges personal data with supervisory bodies, for example the Nederlandse Zorgautoriteit (Dutch Healthcare Authority) or the Autoriteit Persoonsgegevens (Dutch Personal Data Authority) if this is necessary in the context of the supervisory duties. This is a legal obligation.
- Healthcare insurers frequently receive requests, for example from teaching hospitals or research bureaus, for permission to use personal data (about health) for scientific research or statistical purposes. These data are only provided if and insofar as anonymised data will not suffice, the research is in the public interest and asking for permission was not possible.
- Salland has an Incident Register in which personal data are included. This register is used to record events that result in or could result in the interests, integrity or safety of the policyholders or (the employees of) Salland or the entire financial industry being jeopardized, such as falsifying bills, identity fraud, skimming, embezzlement in employment, phishing and deliberate deception.
- Basis Registratie Personen (Key Register of Persons): Healthcare insurers obtain personal data from the Basis Registratie Personen.
- The National Terrorism Sanctions List of the Central Government: Health insurers should check whether you are on this list. If you are on the list, this will be reported to De Nederlandsche Bank.
- Other insurer: we sometimes exchange data to recover damage or costs that we have reimbursed, for example, from your travel insurer if they also offer cover in addition to your public or supplementary health insurance, or from the liability insurer of another person, who is responsible for the damage or costs.
- Healthcare providers with whom Salland has concluded a contract: they will directly charge the costs of care to Salland.
- The External Referral Register is where the personal data are stored of persons whose behaviour has sufficiently been proved to constitute a (potential) threat to the financial interests of (employees of) Salland and its policyholders. The External Referral Register may be perused by participants in the Protocol Incidentenwaarschuwingssysteem Financiële Instellingen.
- Salland shares your personal data with IT suppliers. Among other things, they help us send newsletters, process digital contact and complaint forms. It has been contractually agreed with them that they may not use personal data for other purposes and that they properly protect your data.
- In the case of a “flex migrant”, the personal data are exchanged with the person’s employment agency (collective) in the context of executing the insurance agreement. Examples would be payslips, employment agreements, copies of proof of ID. Salland has a legal obligation to establish the right to insurance and therefore processes the aforementioned personal data. In addition, Salland also exchanges personal data with your collectivity. Examples include your name, address, place of residence, date of birth, gender, policy number, citizen service number, telephone number, IBAN and your e-mail address. We will share claim-related information with your consent only. There is a legitimate interest to share personal data between Salland and your collectivity. It is in Salland's interest for collectivities to be able to register and de-register you as an insured party in time for healthcare insurance and pay us the premiums. In addition, the exchange of personal data between Salland and collectivities is necessary in order for the insurance records of Salland and the personnel records of collectivities to be in line with each other.
- Salland has carefully weighed up its interests against your fundamental rights and freedoms. One aspect is that Salland is of the opinion that you will experience more convenience; your collectivity takes on a lot of administrative duties. Naturally, you have the right to object to such processing. In that case, please substantiate why greater importance should be attached to your privacy rights. See Chapters 3 and 6 of this statement.
An example of obtaining information from third parties is:
- Healthcare insurers obtain personal data from the Basisregistratie Personen (Key Register of Persons)
Automated processing of application for authorization or claim
Application for authorization:
Your application for authorization moves through the stages of a careful process, where assessment criteria based on the terms and conditions of the insurance are applied to your application. Applying these criteria can be automatic. You will always receive a message stating whether your application has been rejected or approved. It also describes how you can lodge a complaint if you wish.
Claims are usually processed automatically, where assessment criteria based on the terms and conditions of the insurance are applied to your claim. You always have the right to submit a query or lodge a complaint regarding the automated processing of your claim. The question or complaint is examined by an Eno employee.
III. Commerce and Marketing
Salland uses your personal data to inform you about its other products and services that may be interesting to you. Data about your health (for example claim data) are not used for commercial purposes, unless you have granted your explicit consent for this. Sometimes Salland makes selections from its customer base, for example to recommend a product for a certain target group. Health data or financial data are not used in making such selections for commercial purposes.
Salland uses your personal data for analyses for the benefit of marketing activities. This does not involve your health data, unless you have granted your explicit consent for this.