Use of personal data

This privacy statement applies to ZEM's use of personal data in executing the ZEM Polis basic healthcare insurance and AV-ZEM supplementary insurance. ZEM is a brand operated by Zorg en Zekerheid.

Personal data are all the data that say something about you or about your personal situation. Sometimes the information is not strictly about you, but can be traced to your person. Such information also qualifies as personal data.

Data about companies do not qualify as personal data. However, the data companies hold about their employees, individual care providers and customers do.

Zorg en Zekerheid processes your personal data with great care and has issued this statement to explain how it uses your personal data. Healthcare insurers attach great importance to proper compliance with statutory rules and regulations. This is why they have included joint rules of conduct in their Code of Conduct for the Processing of Personal Data by Healthcare Insurers. One statutory privacy rule involves an obligation to observe transparency on the way in which the personal data of customers are handled. Healthcare insurers meet this obligation by publishing a privacy statement.

This privacy statement provides answers to the following questions:

1. What do we use your personal data for?

2. For how long do we keep your personal data?

3. What are your rights?

4. How can you exercise your rights?

5. How are your personal data protected?

6. How to contact your healthcare insurer?

1. What do we use your personal data for?

We need to process personal data in order to be able to comply with the Healthcare Insurance Act and execute the insurance contracts that Zorg en Zekerheid enters into with insured persons. Zorg en Zekerheid includes your citizen service number in its records for the specific purpose of identifying you as an insured person (this is a statutory obligation).

Zorg en Zekerheid also uses your personal data for various other purposes, but only to the extent required for each purpose.

These purposes are:

I. Assessment and acceptance
II. Entering into and executing insurance contracts
III. Commerce and Marketing

Zorg en Zekerheid may decide to outsource certain activities. However, we will always remain responsible for the use of your personal data. Examples of outsourced activities include those performed by parties such as VECOZO and Vektis on behalf of healthcare insurers. For example, through VECOZO's Insurance Data Monitoring Service (COV) care providers can view the current insurance status (basic healthcare insurance (zorgverzekeringspakket) and/or supplementary insurance) of insured persons. In addition, via VECOZO they can submit electronic claims to the right healthcare insurer. Vektis supports healthcare professionals, patients’ associations and government bodies in their efforts to improve care and maintain an accessible and affordable high-quality healthcare system in the Netherlands. Vektis analyses claims on behalf of healthcare insurers. It may sometimes, on a healthcare insurer's instructions, provide those data to third parties – often for the purpose of scientific research or to comply with a statutory obligation.

Each of these purposes I, II and III is described in more detail below.

I. Assessment and acceptance

Zorg en Zekerheid uses your personal data to check whether you are subject to compulsory basic insurance. Pursuant to the Healthcare Insurance Act, every person subject to compulsory insurance must be accepted for basic insurance.

Automated processing of applications
When you apply for basic or supplementary healthcare insurance, your data will be processed in an automated system. We will do so on the basis of the data you have entered in the electronic application form.

If you have a question or wish to submit a complaint about the automated processing of your request, please contact Zorg en Zekerheid. A Zorg en Zekerheid employee will then examine your question or complaint.

II. Entering into and executing insurance contracts

Zorg en Zekerheid needs your personal details to enter into and execute basic insurance and supplementary healthcare insurance contracts. For this purpose, we also need data about your health.

Executing the insurance contract covers the following actions: determining whether you are entitled to (reimbursement of the costs of) care, making payments to the care provider, paying reimbursements to you, collecting insurance premiums, determining the amount of your personal contribution and your voluntary and compulsory excess, performing checks, combating fraud (and maintaining an internal registration system for that purpose), recovering damages from third parties, conducting surveys among insured persons as to the quality of care, improving services, providing groups of insured persons with targeted information, reducing premium payment arrears of policy holders, taking action to ensure the policy holder no longer owes premiums under administrative law, handling complaints and disputes, and analysing personal (and other) data for risk management purposes (including care expenditure control) and care purchasing.

Zorg en Zekerheid maintains an Events Register to safeguard the security and integrity of its services and the sector. The Special Affairs department may decide to include personal data from the Events Register in an Internal Reference Register (IVR). In the IVR, Zorg en Zekerheid only includes personal data of legal persons that pose a risk to the safety and/or integrity of the healthcare insurer or the Group to which Zorg en Zekerheid belongs. If a particular event meets the criteria of the Financial Institutions Incident Warning Protocol (PIFI), Zorg en Zekerheid will include the personal data concerned in an Incidents Register and, where relevant, in the External Reference Register (EVR, see ‘Exchanging data with third parties’ below).

Exchanging data with third parties
We sometimes exchange your personal data with, or receive your personal data from, third parties. We never sell your personal data to third parties. Third parties with which we may exchange personal data include:

• CAK (Central Administration Office for Exceptional Medical Expenses): Zorg en Zekerheid will disclose your citizen service number and your bank account number to CAK if you qualify for reimbursement of your (compulsory) excess. We are under a statutory obligation to do so.

• Municipal Executive: Zorg en Zekerheid exchanges personal details with the Municipal Executive of the municipality where you live in order to prevent and reduce debt. We are under a statutory obligation to do so.

• Employers or representative agents: If you receive a premium discount because you participate in a group scheme, Zorg en Zekerheid will use your personal data to periodically check your continued entitlement to the discount with your employer or representative agent.

• Care Administration Offices: To prevent healthcare costs being paid both under the Long-Term Care Act (Wlz) and under basic insurance, and to ensure effective coordination of care insured under the healthcare insurance and the Wlz.

• SVB (Social Insurance Bank): The SVB receives data from the Care Administration Office for the purpose of keeping the records of insured persons as referred to in Section 35 of the Work and Income (Implementation Organisation Structure) Act (Wet SUWI) and for payments from the personal care budget and the associated budget management.

• Zorg en Zekerheid exchanges personal data with supervisory authorities (such as the Dutch Healthcare Authority and the Dutch Data Protection Authority) to the extent required for their supervisory tasks. We are under a statutory obligation to do so.

• Healthcare insurers regularly receive requests, for example from university medical centres, for permission to use (health-related) personal data for scientific research or statistics. Personal data will only be made available if and to the extent anonymous data will not suffice, if the research serves the general interest and if it was impossible to ask for permission.

• Zorg en Zekerheid maintains an Incidents Register in which it also includes personal data. We use this register to record events which could potentially or do actually compromise the interests, integrity or safety of the insured persons, Zorg en Zekerheid or its employees, or the financial sector as a whole. Examples of such events are forgery of bills, ID fraud, skimming, workplace theft, phishing and deliberate deception.

• We also have an External Reference Register, which includes the personal data of individuals whose conduct has sufficiently proved to pose an actual or potential threat to the financial interests of Zorg en Zekerheid, its employees or its insured persons. Information in the External Reference Register is available to participants in the Incident Warning System (Financial Institutions) Protocol.

• Key Register of Persons: Healthcare insurers obtain personal data from the Key Register of Persons.

• Care providers contracted by Zorg en Zekerheid: they charge the costs of the care directly to Zorg en Zekerheid.

Data about your health
Zorg en Zekerheid takes particular care when handling data about your health. We use such data to determine whether you are entitled to (reimbursement of the costs of) care. To the extent required, we also use health-related data to check information, to investigate cases of fraud, to recover costs from third parties and to conduct care purchasing and risk management analyses.

Zorg en Zekerheid's medical adviser is a physician, dentist, physiotherapist,  obstetrician, nurse, healthcare psychologist, psychotherapist or pharmacist included in the Individual Healthcare Professions Act (BIG) Register.

The medical adviser is bound to a statutory duty of confidentiality. The medical adviser is / medical advisers are responsible for the use of health-related data. This includes the use of health-related data by any employee, except as regards purely administrative actions such as the processing of claims submitted by care providers and forwarding and digitising mail. The group of employees that come under the responsibility of the medical adviser is known as the ‘functional unit’. The employees in the functional unit are bound to the same duty of confidentiality as the medical adviser.

Automated processing of request for authorisation or claim
Request for authorisation
Your request for authorisation is subjected to a careful process that includes the use of assessment criteria based on the applicable insurance conditions. These criteria may be applied as part of an automated system. You will be notified about the acceptance or rejection of your application. That notification also includes instructions on how to submit a complaint, should you wish to do so.

Claims
Claims are normally processed in an automated system that includes the use of assessment criteria based on the applicable insurance conditions. You always have the right to submit a question or complaint in connection with the automated processing of your claim.

III. Commerce and Marketing

Zorg en Zekerheid uses your personal data to inform you and to bring its other products and services to your attention. We never use data about your health (such as claims-related data) for commercial purposes. Sometimes Zorg en Zekerheid selects specific customers from its customer file, for example in order to promote a product among a particular target group. When making such selections for commercial purposes, we do not use health-related or financial data.

Analysis
Zorg en Zekerheid will use your personal data for analyses conducted for marketing purposes. However, this will not involve any data about your health.

Selecting customer groups

Zorg en Zekerheid uses personal data to form customer groups for the purposes of marketing activities and service improvement. Customer groups can also be created on the basis of data obtained from sources outside of Zorg en Zekerheid. Your data will not be used for automated decisions that would have legal consequences for you or would affect you in any other significant manner.

Cookies
When you visit the Zorg en Zekerheid website, we may store information on your computer in the form of a cookie. For more information about cookies on the Zorg en Zekerheid website, please read our cookie statement.

Camera surveillance
Finally, Zorg en Zekerheid uses camera images recorded inside its buildings and on its premises so as to guard your property and ours.

2. For how long do we keep your personal data?

Zorg en Zekerheid will keep your personal data for as long as we need them for the purpose for which we originally obtained them. This means that we will keep most data for seven years (counting from the year after the year to which they relate), with the following exceptions:

• No signed insurance contract: it may be the case that you applied for insurance from Zorg en Zekerheid but have not actually entered into an insurance contract. You may have decided yourself not to take out the insurance, or perhaps Zorg en Zekerheid refused it. In such cases, Zorg en Zekerheid will keep your data for one year following the application. This enables Zorg en Zekerheid to check your data in the event that you submit another application the next year. In addition, it enables Zorg en Zekerheid to introduce you to other products you may be interested in, unless you have expressly stated that you do not want us to do so.

• After termination of your insurance: did you take out insurance and have you terminated the contract? In that case we will keep your data for a maximum of seven years after termination of your insurance or after receipt of your last bill. We do so in part in compliance with the Healthcare Insurance Act. We are permitted to use those data for marketing purposes for up to two years, unless you have expressly indicated that you do not want us to do so.

• Fraud: after using your data as part of an investigation into fraud, we will keep them for a period of eight years after the end of the investigation.

• Recording telephone calls for quality assurance and customer service purposes: we record your telephone conversations with us. We do so for the purposes of training and assessing our employees and having a definite record of the content of the conversation in case of a subsequent dispute. We will keep these data for no more than six months.

• Payment behaviour: if your insurance was terminated due to your failure to pay (or pay in time) any amount owed, we will keep the relevant data for five years at most.

• Complaints and disputes: in the event that we used your data within the context of a complaint or dispute, we will keep them for a period of five years after concluding the relevant complaints handling or dispute settlement procedure.

3. What are your rights?

You have the right to inspect, rectify, erase or limit the use of your personal data, to claim the portability of your personal data, and to object to, and withdraw your consent for, the use of your personal data. Below we will explain what these rights entail.

Right of inspection

You have the right to inspect your personal data held by Zorg en Zekerheid and to inspect the information for which we use those personal data.

Generally speaking, we have safeguards in place to ensure the right of inspection by enabling you to personally view, via MijnZZ, which of your personal data are processed (name and address details, insurance details and information about excess, premiums and healthcare costs paid).

In addition to that, you may want to have access to other, specific information. If so, please submit a request to that effect, specifying the data you wish to inspect.

Data portability

You have the right to receive your personal data from Zorg en Zekerheid in a structured, commonly used and machine-readable format if those data were provided to Zorg en Zekerheid by you or on your behalf and Zorg en Zekerheid used them by automated means.

Zorg en Zekerheid may also send the personal data directly to another healthcare insurer in the case of data that you need to switch to that other healthcare insurer or in the case of care reimbursement authorisations issued by Zorg en Zekerheid.

If you wish Zorg en Zekerheid to send your data directly to another healthcare insurer, please make sure to say so in your request.

Rectification

You have the right to rectify any personal data concerning you that are incorrect. You have the right to have incomplete personal data completed, for example by means of providing a supplementary statement.  

In your request, please specify the data to be rectified and why they must be rectified.

Erasure

You can ask Zorg en Zekerheid to erase your personal data if you believe that one of the following grounds applies:

• Zorg en Zekerheid no longer needs your personal data.

• Your data are being used on the basis of your specific consent, and you decide to withdraw your consent.

• You object, in the manner described below, to the use of your personal data.

• The use by Zorg en Zekerheid of your personal data was unlawful.

• Zorg en Zekerheid was under a statutory obligation to erase your data.

• Zorg en Zekerheid uses your data for social media purposes.

In your request, please specify the data you wish to have erased and why you believe that Zorg en Zekerheid should do so. If your request concerns your insurance, it will often prove impossible to erase your data because Zorg en Zekerheid needs those data, with due regard for the applicable retention period (see section 2).

Limitation

You have the right to demand that the use of your personal data is limited:

• during the period that Zorg en Zekerheid needs to verify that your data need to be corrected;

• if Zorg en Zekerheid unlawfully used your personal data but you do not wish them to be erased;

• during the period in which you are awaiting a response from Zorg en Zekerheid after objecting to the use of your personal data.

If the use of your personal data is subjected to limitations, Zorg en Zekerheid will not be permitted to use them without your consent. There are a number of exceptions to this rule. Your personal data may still be used:

• to ensure the proper performance of your healthcare insurance and supplementary healthcare insurance, so that you remain insured and your healthcare insurer will continue to be able to pay your bills;

• to establish, exercise and defend a legal claim;

• to protect the rights of another person or legal person; or

• for reasons of significant public interest for the European Union or a Member State of the European Union, for example in the area of public health.

In your request, please explain why Zorg en Zekerheid should not have used your personal data. Alternatively, you can enclose the request for limitation on the use of your personal with a request for rectification or an objection.

If you submitted a demand for limitation on the use of your personal data along with your demand for rectification or your objection, the use of your personal data will be limited during this period.

Objection

You have the right to object against the use of your personal data for the purposes of direct marketing. If your data are used for purposes other than direct marketing or performance of your insurance contract, you are entitled to object if you have special personal reasons to do so. In your objection, please specify the data concerned and your reasons for objecting.

Consent

If Zorg en Zekerheid only uses your personal data with your consent, you may withdraw your consent at any time. Withdrawal of your consent has no retroactive effect. This means that it will not have any consequences for actions that have already been performed.

In your request, please specify the consent that you wish to withdraw.

4. How can you exercise your rights?

If you wish to claim one of the rights specified below, please submit a request to that effect to the Data Protection Officer at Zorg en Zekerheid. You can do so by letter or email, for example. We will let you know within one month how we have handled your request. If your request is particularly complex, we may extend this deadline by another two months. If Zorg en Zekerheid wishes to extend the deadline, we will let you know within one month following receipt of your request.

Complaint or notice of request

If you are of the opinion that Zorg en Zekerheid is processing your personal data in contravention of the Regulation, you can lodge a complaint with the Dutch Data Protection Authority or another supervisory body. Alternatively, you can submit a notice of request to the court.

Are you a policyholder and have you taken out basic insurance for a child? In that case you can also invoke the rights mentioned under 3. above in respect of the child. Note however that special rules will apply once the child turns 16. From then on, as a policyholder you are only entitled to the data needed to take out the basic insurance policy and to maintain an overview of the invoices payable by you. So when you request access to the personal data of a child aged 16 or older for whom you are the policyholder, we will only be able to provide you with the data specified above. We can provide access to the full personal data only if you are able to submit an authorisation to that effect signed by the child aged 16 or older.

5. How are your personal data protected?

Zorg en Zekerheid has implemented company-wide security measures to protect your personal data. These measures concern the organisation, its employees, processes , technology and physical security and are laid down in the Zorg en Zekerheid Security Policy.

The world of information security is developing at a rapid pace. We have designed our security measures with due regard for the relevant international standards, such as ISO ISO27002. We periodically check whether the measures imposed are still effective. We do so by carrying out risk analyses, implementing internal control plans and commissioning independent audits. In addition, Zorg en Zekerheid comes under the direct supervision of various supervisory bodies and the external auditor, with supervisory tasks focusing on, among other things, the functioning of internal control measures for information security. If Zorg en Zekerheid engages third parties in the processing of personal data, Zorg en Zekerheid will verify that they have implemented sufficient security measures appropriate to the type of personal data concerned.

6. How to contact your healthcare insurer?

If you have any questions, please do not hesitate to contact Zorg en Zekerheid. 

Please address your question to the Data Protection Officer. Send your email to privacy@zorgenzekerheid.nl.

This privacy statement is subject to change. You will always find the most recent version here. The date of the most recent amendment is shown at the bottom of this statement.

Leiden, 20 March 2024