Privacy Statement

This Privacy Statement applies to the statutory health insurance (public health insurance) and the supplementary health insurance from Coöperatie Salland Zorgverzekeraar U.A. (hereinafter to be referred to as Salland). HollandZorg is part of Salland Zorgverzekeraar.

Personal data

Personal data is all data that says something about you or your personal situation. Sometimes, the information is not directly about you, but it can be traced back to you. In that case, too, it is personal data.

Data about companies is not personal data. Data about their employees, individual healthcare providers or customers is.

Salland Zorgverzekeraar treats your personal data with due care and with this statement wishes to explain to you how we use your personal data. Because healthcare insurers deem it important that they follow the statutory rules correctly, they have included common rules of conduct in the “Gedragscode verwerking persoonsgegevens zorgverzekeraars” (Code of Conduct for the Processing of Personal Data by Healthcare Insurers) . You can find that Code of Conduct here. One of the statutory rules is the obligation of transparency about how the personal data of customers are handled. Healthcare insurers do this by providing this Privacy Statement.

This Privacy Statement answers the following questions:

  1. What are your personal data used for?
  2. How long are your personal data held?
  3. What are your rights?
  4. In which way can you exercise your rights?
  5. How are your personal data protected?
  6. How can you get in touch with your healthcare insurer?

The main changes compared to the previous version

This privacy statement was readopted when the General Data Protection Regulation came into force. Since then, the statement was supplemented as follows:

  • When you, the flex migrant, have taken out group insurance, we will share your personal data with your collectivity on the basis of a legitimate interest. For this exchange, we have carefully weighed up your personal interests against our business interests.

Frequently Asked Questions

1.What are your personal data used for?

To implement the Healthcare Act and the insurance agreement which Salland entered into with its policyholders, personal data are necessary. Specifically to be able to identify you, Salland includes your BSN (citizen service number) in its administration (a legal obligation).

Salland may opt to outsource activities. However, Salland always remains responsible for the use of your personal data. Examples of outsourcing in this context would be the activities carried out by VECOZO and Vektis on behalf of healthcare insurers.

(For example, VECOZO enables healthcare providers to submit digital claims to the appropriate healthcare insurer. Vektis provides the health insurance sector in general and individual healthcare insurers with statistical and actuarial information to support policy processes.)

Salland uses your personal data for various purposes only if and insofar as that purpose requires this use.

These purposes are:
I. To assess and accept
II. To conclude and execute the insurance policy
III. Commerce and Marketing

Salland may opt to outsource activities. However, Salland always remains responsible for the use of your personal data. Examples of outsourcing in this context would be the activities carried out by Vecozo and Vektis on behalf of healthcare insurers.
Care providers can, for example, consult the current insurance data (public and/or supplementary health insurance package) of insured parties via VECOZO’ Insurance Data Check (COV) service. In addition, they can submit digital claim forms via VECOZO to the appropriate health insurer. Vektis supports healthcare professionals, patient organisations and government parties in improving healthcare and keeping good healthcare accessible and affordable in the Netherlands. Vektis analyses claim data for health insurers. Sometimes, Vektis provides this data to third parties on behalf of health insurers, often for scientific research or to comply with a statutory obligation.

This paragraph will discuss parts I to III in more detail.

I. To assess and accept
Salland uses your personal data to check whether you are subject to compulsory insurance for the public health insurance. The principle for the public health insurance is that every person who is subject to compulsory insurance is accepted, which is laid down in the Healthcare Insurance Act.

For supplementary health insurance, personal data regarding somebody’s health are requested in the context of underwriting policy so as to assess whether the insurance policy that somebody applies for may be concluded. The data are assessed under the responsibility of the medical adviser. This assessment may result in the applicant receiving an offer that differs from what he or she applied for.

Automated processing of application
Your details are processed automatically when you apply for a public health insurance or supplementary health insurance. This is based on the data you entered in the (electronic) application form.

In the case of your application for supplementary health insurance, this may also concern health data. The result will either be the conclusion of the insurance policy or the rejection of your application.

You can always contact Salland and submit a query or lodge a complaint regarding the automated processing of your application. The question or complaint is examined by an Salland employee.

II. To conclude and execute the insurance policy
Salland needs your personal data for concluding and executing the public health insurance and supplementary health insurance. To execute these insurance policies, we also need information about your health.

Among other things, the execution of the insurance policy covers the following: establishing whether you are entitled to (reimbursement of expenses related to) care, paying the healthcare provider, paying reimbursements to you, collecting the premium, providing you with a service, establishing personal contributions and compulsory and voluntary excess, carrying out checks, fighting fraud (including an internal registration system), claiming damages from third parties, including insurers (such as your travel insurer), the person liable for the damage or the liability insurer, carrying out research among policyholders into the quality of care, improving service, targeting groups of policyholders with information that is relevant for them, reducing arrears of the policyholder with the healthcare insurer, ensuring that the policyholder no longer owes an administrative premium, processing complaints and disputes and analysing (personal data) for risk management (including controlling healthcare spending) and the purchase of care.

Salland maintains an Events Record to ensure the security and integrity of the service and the sector. The Security Affairs Department or another designated department may decide to include the personal data from the Event Record in an Internal Reference Register (IVR). Salland only includes personal data of persons or legal entities in the IVR that pose a risk to the safety and/or integrity of the health insurer. If an event meets the criteria of the Incident Financial Institutions Incident Warning System Protocol (PIFI), Salland will record the relevant personal data in an Incident Register and, where appropriate, the External Reference Register (EVR, mentioned below under ‘Exchange with third parties’).

Exchange with third parties

Your personal data may sometimes be shared with or acquired from third parties. They are never sold to third parties. Examples of sharing information with third parties are:
  • Salland provides your citizen service number and your bank account number to the CAK (Centraal Administratie Kantoor, Central Administration Office) if you are eligible for reimbursement of the (compulsory) excess. This is a legal obligation.
  • Salland exchanges personal data with the Municipal Executive of the municipality where you live in order to prevent and reduce debts. This is a legal obligation.
  • Employers or representatives: if you receive a discount on your premium for participating in a group scheme, Salland uses your personal data to check with your employer or representative periodically to see if you are still entitled to this discount.
  • Salland exchanges personal data with Zorgkantoren (Healthcare Administration Offices) to prevent that care is being paid for both on the grounds of the WLZ (Wet Langdurige Zorg, the Dutch Long-Term Care Act) and the public health insurance, and for the mutual alignment of the care insured under the health insurance policy and the WLZ;
  • SVB: the SVB receives data from the Care Office for the insured person’s administration as referred to in Article 35 of the Work and Income (Implementation Organisation Structure) Act and the payments charged to the personal budget and the associated budget management;
  • Salland exchanges personal data with supervisory bodies, for example the Nederlandse Zorgautoriteit (Dutch Healthcare Authority) or the Autoriteit Persoonsgegevens (Dutch Personal Data Authority) if this is necessary in the context of the supervisory duties. This is a legal obligation.
  • Healthcare insurers frequently receive requests, for example from teaching hospitals or research bureaus, for permission to use personal data (about health) for scientific research or statistical purposes. These data are only provided if and insofar as anonymised data will not suffice, the research is in the public interest and asking for permission was not possible.
  • Salland has an Incident Register in which personal data are included. This register is used to record events that result in or could result in the interests, integrity or safety of the policyholders or (the employees of) Salland or the entire financial industry being jeopardized, such as falsifying bills, identity fraud, skimming, embezzlement in employment, phishing and deliberate deception.
  • Basis Registratie Personen (Key Register of Persons): Healthcare insurers obtain personal data from the Basis Registratie Personen.
  • The National Terrorism Sanctions List of the Central Government: Health insurers should check whether you are on this list. If you are on the list, this will be reported to De Nederlandsche Bank.
  • Other insurer: we sometimes exchange data to recover damage or costs that we have reimbursed, for example, from your travel insurer if they also offer cover in addition to your public or supplementary health insurance, or from the liability insurer of another person, who is responsible for the damage or costs.
  • Healthcare providers with whom Salland has concluded a contract: they will directly charge the costs of care to Salland.
  • The External Referral Register is where the personal data are stored of persons whose behaviour has sufficiently been proved to constitute a (potential) threat to the financial interests of (employees of) Salland and its policyholders. The External Referral Register may be perused by participants in the Protocol Incidentenwaarschuwingssysteem Financiële Instellingen.
  • Salland shares your personal data with IT suppliers. Among other things, they help us send newsletters, process digital contact and complaint forms. It has been contractually agreed with them that they may not use personal data for other purposes and that they properly protect your data.
  • In the case of a “flex migrant”, the personal data are exchanged with the person’s employment agency (collective) in the context of executing the insurance agreement. Examples would be payslips, employment agreements, copies of proof of ID. Salland has a legal obligation to establish the right to insurance and therefore processes the aforementioned personal data. In addition, Salland also exchanges personal data with your collectivity. Examples include your name, address, place of residence, date of birth, gender, policy number, citizen service number, telephone number, IBAN and your e-mail address. We will share claim-related information with your consent only. There is a legitimate interest to share personal data between Salland and your collectivity. It is in Salland's interest for collectivities to be able to register and de-register you as an insured party in time for healthcare insurance and pay us the premiums. In addition, the exchange of personal data between Salland and collectivities is necessary in order for the insurance records of Salland and the personnel records of collectivities to be in line with each other.
  • Salland has carefully weighed up its interests against your fundamental rights and freedoms. One aspect is that Salland is of the opinion that you will experience more convenience; your collectivity takes on a lot of administrative duties. Naturally, you have the right to object to such processing. In that case, please substantiate why greater importance should be attached to your privacy rights. See Chapters 3 and 6 of this statement.

An example of obtaining information from third parties is:

  • Healthcare insurers obtain personal data from the Basisregistratie Personen (Key Register of Persons)

Automated processing of application for authorization or claim

Application for authorization:
Your application for authorization moves through the stages of a careful process, where assessment criteria based on the terms and conditions of the insurance are applied to your application. Applying these criteria can be automatic. You will always receive a message stating whether your application has been rejected or approved. It also describes how you can lodge a complaint if you wish.

Claims are usually processed automatically, where assessment criteria based on the terms and conditions of the insurance are applied to your claim. You always have the right to submit a query or lodge a complaint regarding the automated processing of your claim. The question or complaint is examined by an Eno employee.

III. Commerce and Marketing
Salland uses your personal data to inform you about its other products and services that may be interesting to you. Data about your health (for example claim data) are not used for commercial purposes, unless you have granted your explicit consent for this. Sometimes Salland makes selections from its customer base, for example to recommend a product for a certain target group. Health data or financial data are not used in making such selections for commercial purposes.

Salland uses your personal data for analyses for the benefit of marketing activities. This does not involve your health data, unless you have granted your explicit consent for this.

If you visit the Salland website, Salland may store information on your computer in the form of a cookie. Information on cookies on the Salland website can be found in the Cookie Policy.

2. How long are your personal data held?

Salland holds your personal data for as long as is necessary for the purpose for which Salland initially acquired your data. This means that most data are stored for 7 years (starting from the year following that to which the data relate), with a few exceptions.

These exceptions are:

  • Insurance policy not taken out
    It may be that you applied for insurance with Salland, but you did not actually take it out. Either because you yourself decided not to take out the policy, or because Salland turned down your application. In that case, Salland holds your data for one year after the application. This way, Salland can check your data if you submit another application the following year. It also offers Salland the opportunity to approach you with other possibly interesting products, unless you specify you do not wish to receive such offers.

  • Upon expiry of your insurance
    Did you take out an insurance policy but has this expired by now? Then we will store your data for a maximum of 7 years after your insurance has expired, alternatively a maximum of 7 years after we received bills from you. We do this on account of the requirement in the Healthcare Insurance Act. These data may be used for marketing purposes for a maximum of 2 years, unless you indicated that you do not want this.

  • Medical data in an investigation
    Have we carried out an investigation, using your medical data? Then we store these data for as long as is necessary to carry out and complete the investigation, and afterwards to secure our rights. For example, to recover payments we made if claims were submitted for care that has not been provided.

  • Fraud
    If we used your data in an investigation into fraud, we hold these data for 8 years after the investigation has been completed.

  • Recording telephone conversations for training purposes
    We can record your telephone conversations with us. We do this to train our staff in order to improve our service. These data are held for 6 weeks.

  • Payment behaviour
    If your insurance was terminated because you did not pay or did not pay on time, the relevant data will be held for a maximum of 5 years.

  • Complaints and disputes
    If we used your data in connection with complaints and disputes, we hold these data for 2 years after the procedure has been completed.
3. What are your rights?

You are entitled to inspect, rectify or delete your personal data, restrict their use and their portability, raise objections and to withdraw your consent. Below, you can read what these rights entail.

You have the right to inspect the personal data that Salland has on you and the information for which it uses those personal data.

In general, the right of inspection has been ensured safely because by means of My HollandZorg you can see for yourself which personal data about you are processed (name and address details, insurance details, information about the excess that has been paid and premium payments and healthcare costs).

You may wish to obtain other specific information as well. To this end, you can submit a request. Please state in your request which data you would like to see.

Portability of data
You have the right to obtain your personal data from Salland in a structured, commonly used and machine-readable form, if these personal details have been provided to Salland by you or on behalf of you and have been used by Salland via automated procedures.

Salland may also send your personal details directly to another healthcare insurer if those data are necessary to transfer to that other healthcare insurer or if they involve authorizations by Salland to reimburse care costs.

If you want Salland to send your data directly to another healthcare insurer, please indicate this in your request.

You are entitled to correct (rectify) this inaccurate personal data that relate to you. You are entitled to have incomplete personal data made complete, for example by providing a supplementary statement.

Please state in your request which data need to be corrected and why.

Deleting data

You can ask Salland to delete your personal data if according to you one of the following applies:

  • Salland no longer needs your personal data
  • Your data are used by virtue of your consent, but you wish to withdraw your consent
  • You object to the use of your personal data, as described below
  • Salland was not allowed to use your personal data
  • Salland was already required to delete your data by law
  • Salland uses your data for social media

Please state in your request which data you wish to see deleted and why you think Salland is obliged to do so. If your request concerns your insurance, deleting data is often impossible, for example because Salland still needs these data, subject to the applicable retention periods (see part 2).

You have the right to insist that the use of your personal data is restricted:

  • in the period that Salland needs to establish whether your data indeed need to be rectified
  • if Salland should not have been allowed to use your personal data, but you do not wish to have those data deleted
  • in the period that you object to the use of your personal data but have not yet had a response from Salland.

If the use of your personal data is restricted, Salland needs your consent to use these data after all. The following exceptions apply. Your personal data are eligible for use after all:

  • for the execution of your health insurance and supplementary health insurance, so that you can remain insured and your bills can be paid by your healthcare insurer
  • to initiate, carry out or substantiate a legal action before a court
  • to protect the rights of another natural or legal person; or
  • for reasons of great public interest for the European Union or a member state of the European Union, such as public health

Please state in your request why Salland was not allowed to use your personal data. Or please add the request for restricting the use of your personal data to a request for rectification or to an objection.

If you invoked not only your right to rectification or objection but also your right to restrict the use of your personal data, the use of your personal data will be reduced in this term. However, bear in mind that upon the expiry of this period you will still have to pay the premium over this period and that your healthcare costs cannot be paid during this period.

You have the right to object to the use of your personal data if you have special, personal reasons for this.

Please specify in your objection which data are involved and state the reason of your objection.

If Salland only used your personal data with your consent, then you may withdraw your consent at any time. Withdrawing your consent does not work retrospectively. Withdrawing your consent therefore has no effect on actions already performed.

Please state in your request which consent you wish to withdraw.

4. In which way can you exercise your rights?

If you wish to invoke one of your rights that are mentioned below, you can submit a request to that end to the Data Protection Officer at Salland. You can do this by letter or via email. We will inform you within one month what we have done with your request. If your request is very complicated, this term may be extended by another two months. If Salland wishes to extend the term, we will inform you accordingly within one month after receipt of your request.

Please state in your request your policy number and motivate your request.
If you disagree with the way your request has been handled, you may lodge a complaint with the Autoriteit Persoonsgegevens (Personal Data Authority) (or any other European supervisory body). You can also file a petition with the court.

Are you a policyholder and have you taken out public health insurance for a child? Then you can also invoke the rights stated above (mentioned under 3.) for this child. If the child is 16 years or older, special rules do apply. As a policyholder, you are in that case only entitled to the data that is necessary for taking out the public health insurance and to gain sufficient insight into the bills to be paid by you. For example, if you request access to the personal data of a child aged 16 or older of which you are the policyholder, we can only provide you with the data mentioned above. You can also submit an authorisation from the child aged 16 or older that we may provide you with all data. In that case, we will provide you with the data.

Conditions governing the provision of information
Do you wish to inspect your data? In that case we will need your proof of ID first. We do not provide details about your health, claim or damage details by fax or by unsecured email. This is to protect your privacy. The inspection will take place in our office in Deventer, the Netherlands.

Would you like to give other people permission to deal with your insurance? In that case, we would like you to arrange this through a power of attorney. Only in this way can we prevent misuse or inaccurate use of your data.

5. How are your personal data protected?

Salland has implemented security measures company-wide in order to protect personal data. These measures involve: the organization, the staff, processes, technology and physical protection, and they have been established in Salland's security policy.

The developments in the world of information security are happening at a high pace. The implementation of the measures is based on internationally applicable standards. We periodically check whether our measures are still adequate. This happens by means of risk assessments, internal control plans and by independent audits. Moreover, Salland is directly monitored by various supervisory bodies and the external accountant, and this includes among other things the efficacy of internal control of information security. If Salland deploys third parties in processing personal data, Salland ascertains that the third party has adequate security measures in place, depending on the kind of personal data.

6. How can you get in touch with us?

Should you have any queries, then it goes without saying that you can always turn to Salland.

Please contact:

Coöperatie Salland Zorgverzekeraar U.A.
Afdeling Compliance & Risk (Compliance & Risk Department)
FAO the Functionaris voor de Gegevensbescherming (Data Protection Officer)
Postbus 166
7400 AD Deventer

Or send us an email to

This Privacy Statement is subject to change. The most recent version can always be found here. The date of the most recent change is included at the bottom of this statement.