Privacy Statement         

This Privacy Statement applies to the statutory health insurance (“public health insurance”) and the supplementary health insurance from Coöperatie Eno U.A (hereinafter to be referred to as Eno). Salland Zorgverzekeringen / ZorgDirect / HollandZorg is part of Eno.

Eno treats your personal data with due care and with this statement wishes to explain to you how we use your personal data. Because healthcare insurers deem it important that they follow the statutory rules correctly, they have included common rules of conduct in the “Gedragscode verwerking persoonsgegevens zorgverzekeraars” (Code of Conduct for the Processing of Personal  Data by Healthcare Insurers) . You can find that Code of Conduct here. One of the statutory rules is the obligation of transparency about how the personal data of customers are handled. Healthcare insurers do this by providing this Privacy Statement.


This Privacy Statement answers the following questions:

  1. What are your personal data used for?
  2. How long are your personal data held?
  3. What are your rights?
  4. In which way can you exercise your rights?
  5. How are your personal data protected?
  6. How can you get in touch with your healthcare insurer?

The main changes compared to the previous version

This privacy statement was readopted when the General Data Protection Regulation came into force. Since then, the statement was supplemented as follows:

  • When you, the flex migrant, have taken out group insurance, we will share your personal data with your collectivity on the basis of a legitimate interest. For this exchange, we have carefully weighed up your personal interests against our business interests.

1.What are your personal data used for?

To implement the Healthcare Act and the insurance agreement which Eno entered into with its policyholders, personal data are necessary. Specifically to be able to identify you, Eno includes your ‘burgerservicenummer’ (citizen service number) in its administration (a legal obligation).


Eno may opt to outsource activities. However, Eno always remains responsible for the use of your personal data. Examples of outsourcing in this context would be the activities carried out by Vecozo and Vektis on behalf of healthcare insurers.

(For example, Vecozo enables healthcare providers to submit digital claims to the appropriate healthcare insurer. Vektis provides the health insurance sector in general and individual healthcare insurers with statistical and actuarial information to support policy processes.)


Eno uses your personal data for various purposes only if and insofar as that purpose requires this use.


These purposes are:

I. To assess and accept
II. To conclude and execute the insurance policy
III. Commerce and Marketing


This paragraph will discuss parts I to III in more detail.


I. To assess and accept

Eno uses your personal data to check whether you are subject to compulsory insurance for the public health insurance. The principle for the public health insurance is that every person who is subject to compulsory insurance is accepted, which is laid down in the Healthcare Insurance Act.


For supplementary health insurance, personal data regarding somebody’s health are requested in the context of underwriting policy so as to assess whether the insurance policy that somebody applies for may be concluded. The data are assessed under the responsibility of the medical adviser. This assessment may result in the applicant receiving an offer that differs from what he or she applied for.


Automated processing of application

Your details are processed automatically when you apply for a public health insurance or supplementary health insurance. This is based on the data you entered in the (electronic) application form.


In the case of your application for supplementary health insurance, this may also concern health data. The result will either be the conclusion of the insurance policy or the rejection of your application.

You can always contact Eno and submit a query or lodge a complaint regarding the automated processing of your application.


II. To conclude and execute the insurance policy

Eno needs your personal data for concluding and executing the public health insurance and supplementary health insurance. To execute these insurance policies, we also need information about your health.


Among other things, the execution of the insurance policy covers the following: establishing whether you are entitled to (reimbursement of expenses related to) care, paying the healthcare provider, paying reimbursements to you, collecting the premium, establishing personal contributions and compulsory and voluntary excess, carrying out checks, fighting fraud (including an internal registration system), claiming damages from third parties, carrying out research among policyholders into the quality of care, improving service, targeting groups of policyholders with information that is relevant for them, reducing arrears of the policyholder with the healthcare insurer, ensuring that the policyholder no longer owes an administrative premium, processing complaints and disputes and analysing (personal data) for risk management (including controlling healthcare spending) and the purchase of care.

Examples of the exchange of personal data:

  • If you visit a healthcare provider with whom Eno has concluded a contract, this healthcare provider will directly charge the costs of care to Eno.
  • If you receive a discount on your premium for participating in a collective, Eno uses your personal data to check with your employer or representative from time to time to see if you are still entitled to this discount.


Information about your health

Information about your health are data that Eno treats with extra care. Eno uses these data to determine whether you are entitled to (reimbursement of expenses related to) care. Insofar this is necessary, details about your health are also used for checks, carrying out investigations into fraud, claiming damages from a third party and analyses for purchasing care and for risk management.


Eno's medical adviser is a professional registered in the Dutch Register of Individual Health Care Professions as a: doctor, dentist, physiotherapist, obstetrician, nurse, healthcare psychologist, psychotherapist or dispensing chemist.

The medical adviser has a legal obligation of confidentiality.  The use of health data is the responsibility of the medical adviser(s). Every employee who uses health data falls under the responsibility of the medical adviser, except with regard to actions of a purely administrative nature, such as processing claims from healthcare providers and forwarding and digitalizing post. The group of employees under the responsibility of the medical adviser is called the ‘functional unit’. The employees in the functional unit have the same obligation of confidentiality as that of the medical adviser.


Your personal data may sometimes be shared with or acquired from third parties. They are never sold to third parties. Examples of sharing information with third parties are:

  • Eno provides your citizen service number and your bank account number to the CAK (Centraal Administratie Kantoor, Central  Administration Office) if you are eligible for reimbursement of the (compulsory) excess. This is a legal obligation.
  • Eno exchanges personal data with the Municipal Executive of the municipality where you live in order to prevent and reduce debts. This is a legal obligation.
  • Eno exchanges personal data with Zorgkantoren (Healthcare Administration Offices) to prevent that care is being paid for both on the grounds of the WLZ (Wet Langdurige Zorg, the Dutch Long-Term Care Act) and the public health insurance, and for the mutual alignment of the care insured under the health insurance policy and the WLZ;
  • Eno exchanges personal data with supervisory bodies, for example the Nederlandse Zorgautoriteit (Dutch Healthcare Authority) or the Autoriteit Persoonsgegevens (Dutch Personal Data Authority) if this is necessary in the context of the supervisory duties. This is a legal obligation.
  • Healthcare insurers frequently receive requests, for example from teaching hospitals or research bureaus, for permission to use personal data (about health) for scientific research or statistical purposes. These data are only provided if and insofar as anonymised data will not suffice, the research is in the public interest and asking for permission was not possible.
  • Eno has an Incident Register in which personal data are included. This register is used to record events that result in or could result in the interests, integrity or safety of the policyholders  or (the employees of) Eno or the entire financial industry being jeopardized, such as falsifying bills, identity fraud, skimming, embezzlement in employment, phishing and deliberate deception.
  • The External Referral Register is where the personal data are stored of persons whose behaviour has sufficiently been proved to constitute a (potential) threat to the financial interests of (employees of) Eno and its policyholders. The External Referral Register may be perused by participants in the Protocol Incidentenwaarschuwingssysteem Financiële Instellingen.
  • Eno shares your personal data with IT suppliers. Among other things, they help us send newsletters, process digital contact and complaint forms. It has been contractually agreed with them that they may not use personal data for other purposes and that they properly protect your data.
  • In the case of a “flex migrant”, the personal data are exchanged with the person’s employment agency (collective) in the context of executing the insurance agreement. Examples would be payslips, employment agreements, copies of proof of ID. Eno has a legal obligation to establish the right to insurance and therefore processes the aforementioned personal data. In addition, Eno also exchanges personal data with your collectivity. Examples include your name, address, place of residence, date of birth, gender, policy number, citizen service number, telephone number, IBAN and your e-mail address. We will share claim-related information with your consent only. There is a legitimate interest to share personal data between Eno and your collectivity. It is in Eno’s interest for collectivities to be able to register and de-register you as an insured party in time for healthcare insurance and pay us the premiums. In addition, the exchange of personal data between Eno and collectivities is necessary in order for the insurance records of Eno and the personnel records of collectivities to be in line with each other.

    Eno has carefully weighed up its interests against your fundamental rights and freedoms. One aspect is that Eno is of the opinion that you will experience more convenience; your collectivity takes on a lot of administrative duties. Naturally, you have the right to object to such processing. In that case, please substantiate why greater importance should be attached to your privacy rights. See Chapters 3 and 6 of this statement.

An example of obtaining information from third parties is:

  • Healthcare insurers obtain personal data from the Basisregistratie Personen (Key Register of Persons)


Automated processing of application for authorization or claim

Application for authorization:

Your application for authorization moves through the stages of a careful process, where assessment criteria based on the terms and conditions of the insurance are applied to your application. Applying these criteria can be automatic. You will always receive a message stating whether your application has been rejected or approved. It also describes how you can lodge a complaint if you wish.



Claims are usually processed automatically, where assessment criteria based on the terms and conditions of the insurance are applied to your claim. You always have the right to submit a query or lodge a complaint regarding the automated processing of your claim.


III. Commerce and Marketing

Eno uses your personal data to inform you about its other products and services that may be interesting to you. Data about your health (for example claim data) are not used for commercial purposes. Sometimes Eno makes selections from its customer base, for example to recommend a product for a certain target group. Health data or financial data are not used in making such selections for commercial purposes.



Eno uses your personal data for analyses for the benefit of marketing activities. This does not involve your health data.



If you visit the Eno website, Eno may store information on your computer in the form of a cookie. Information on cookies on the Eno website can be found in the Cookie Policy.

2. How long are your personal data held?

Eno holds your personal data for as long as is necessary for the purpose for which Eno initially acquired your data. This means that most data are stored for 7 years (starting from the year following that to which the data relate), with a few exceptions.

These exceptions are:

  • Insurance policy not taken out
    It may be that you applied for insurance with Eno, but you did not actually take it out. Either because you yourself decided not to take out the policy, or because Eno turned down your application. In that case, Eno holds your data for one year after the application. This way, Eno can check your data if you submit another application the following year. It also offers Eno the opportunity to approach you with other possibly interesting products, unless you specify you do not wish to receive such offers.


  • Upon expiry of your insurance
    Did you take out an insurance policy but has this expired by now? Then we will store your data for a maximum of 7 years after your insurance has expired, alternatively a maximum of 7 years after we received bills from you. We do this on account of the requirement in the Healthcare Insurance Act. These data may be used for marketing purposes for a maximum of2 years, unless you indicated that you do not want this.


  • Medical data in an investigation
    Have we carried out an investigation, using your medical data? Then we store these data for as long as is necessary to carry out and complete the investigation, and afterwards to secure our rights. For example, to recover payments we made if claims were submitted for care that has not been provided.
  • Fraud
    If we used your data in an investigation into fraud, we hold these data for 8 years after the investigation has been completed.
  • Recording telephone conversations for training purposes
    We can record your telephone conversations with us. We do this to train our staff in order to improve our service. These data are held for 6 weeks.
  • Payment behaviour
    If your insurance was terminated because you did not pay or did not pay on time, the relevant data will be held for a maximum of five years.
  • Complaints and disputes
    If we used your data in connection with complaints and disputes, we hold these data for 2 years after the procedure has been completed.

3.  What are your rights? 

You are entitled to inspect, rectify or delete your personal data, restrict their use and their portability, raise objections and to withdraw your consent. Below, you can read what these rights entail.


You have the right to inspect the personal data that Eno has on you and the information for which it uses those personal data.

In general, the right of inspection has been ensured safely because by means of My Salland, My ZorgDirect or My HollandZorg you can see for yourself which personal data about you are processed (name and address details, insurance details, information about the excess that has been paid and premium payments and healthcare costs).

You may wish to obtain other specific information as well. To this end, you can submit a request. Please state in your request which data you would like to see.


Portability of data

You have the right to obtain your personal data from Eno in a structured, commonly used and machine-readable form, if these personal details have been provided to Eno by you or on behalf of you and have been used by Eno via automated procedures.


Eno may also send your personal details directly to another healthcare insurer if those data are necessary to transfer to that other healthcare insurer or if they involve authorizations by Eno to reimburse care costs.


If you want Eno to send your data directly to another healthcare insurer, please indicate this in your request.



You are entitled to correct (rectify) this inaccurate personal data that relate to you. You are entitled to have incomplete personal data made complete, for example by providing a supplementary statement. 


Please state in your request which data need to be corrected and why.


Deleting data

You can ask Eno to delete your personal data if according to you one of the following applies:

  • Eno no longer needs your personal data;
  • Your data are used by virtue of your consent, but you wish to withdraw your consent;
  • You object to the use of your personal data, as described below;
  • Eno was not allowed to use your personal data;
  • Eno was already required to delete your data by law;
  • Eno uses your data for social media.


Please state in your request which data you wish to see deleted and why you think Eno is obliged to do so. If your request concerns your insurance, deleting data is often impossible, for example because Eno still needs these data, subject to the applicable retention periods (see part 2).



You have the right to insist that the use of your personal data is restricted:


  • in the period that Eno needs to establish whether your data indeed need to be rectified;
  • if Eno should not have been allowed to use your personal data, but you do not wish to have those data deleted;
  • in the period that you object to the use of your personal data but have not yet had a response from Eno.

If the use of your personal data is restricted, Eno needs your consent to use these data after all. The following exceptions apply. Your personal data are eligible for use after all:


  • for the execution of your health insurance and supplementary health insurance, so that you can remain insured and your bills can be paid by your healthcare insurer;
  • to initiate, carry out or substantiate a legal action before a court;
  • to protect the rights of another natural or legal person; or
  • for reasons of great public interest for the European Union or a member state of the European Union, such as public health.

Please state in your request why Eno was not allowed to use your personal data. Or please add the request for restricting the use of your personal data to a request for rectification or to an objection.


If you invoked not only your right to rectification or objection but also your right to restrict the use of your personal data, the use of your personal data will be reduced in this term. However, bear in mind that upon the expiry of this period you will still have to pay the premium over this period and that your healthcare costs cannot be paid during this period.  



You have the right to object to the use of your personal data if you have special, personal reasons for this.


Please specify in your objection which data are involved and state the reason of your objection.



If Eno only used your personal data with your consent, then you may withdraw your consent at any time. Withdrawing your consent does not work retrospectively. Withdrawing your consent therefore has no effect on actions already performed.


Please state in your request which consent you wish to withdraw.

4. In which way can you exercise your rights?

If you wish to invoke one of your rights that are mentioned below, you can submit a request to that end to the Data Protection Officer at Eno. You can do this by letter or electronically ( We will inform you within one month what we have done with your request. If your request is very complicated, this term may be extended by another two months. If Eno wishes to extend the term, we will inform you accordingly within one month after receipt of your request.


Please state in your request your policy number and motivate your request.

If you disagree with the way your request has been handled, you may lodge a complaint with the Autoriteit Persoonsgegevens (Personal Data Authority) (or any other European supervisory body). You can also file a petition with the court.


Conditions governing the provision of information

Do you wish to inspect your data? In that case we will need your proof of ID first. We do not provide details about your health, claim or damage details by fax or by unsecured email. This is to protect your privacy. The inspection will take place in our office in Deventer, the Netherlands.

Would you like to give other people permission to deal with your insurance? In that case, we would like you to arrange this through a power of attorney. Only in this way can we prevent misuse or inaccurate use of your data.


5.  How are your personal data protected?

Eno has implemented security measures company-wide in order to protect personal data. These measures involve: the organization, the staff, processes, technology and physical protection, and they have been established in Eno’s security policy.


The developments in the world of information security are happening at a high pace. The implementation of the measures is based on internationally applicable standards. We periodically check whether our measures are still adequate. This happens by means of risk assessments, internal control plans and by independent audits. Moreover, Eno is directly monitored by various supervisory bodies and the external accountant, and this includes among other things the efficacy of internal control of information security. If Eno deploys third parties in processing personal data, Eno ascertains that the third party has adequate security measures in place, depending on the kind of personal data.

6.  How can you get in touch with your healthcare insurer?

Should you have any queries, then it goes without saying that you can always turn to Eno. 

Please contact:


Coöperatie Eno U.A.

Afdeling Compliance & Risk (Compliance & Risk Department)

FAO the Functionaris voor de Gegevensbescherming (Data Protection Officer)

Postbus 166

7400 AD Deventer


Or send us an email to


This Privacy Statement is subject to change. The most recent version can always be found here. The date of the most recent change is included at the bottom of this statement.

Deventer, 2 April 2020