Article 1. Layla Ajedday ensures that (special) Personal Data of patients are handled with care. We comply with the applicable laws and regulations, including the General Data Protection Regulation. With this Privacy Regulation we want to inform you further about our policy.

Article 2. Definitions

For the sake of clarity, we will briefly explain what we mean by certain terms:

Personal data: all data by means of which the patient can be identified.
Controller: the controller as referred to in Article 4 paragraph 7 of the Regulation. For this privacy policy, the dental practice.
Processing: any operation or processing carried out on personal data, whether or not by automated means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, as well as blocking, erasure or destruction of personal data.
Processor: the person who is responsible for the Processing of Personal Data on behalf of the dental practice, without being subject to its direct authority, such as assistants hired by the Controller.
Data subject: the person to whom the Personal Data relates, generally the patient.
Implementing Act: the General Data Protection Regulation Implementing Act.
Regulation: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (OJ 2016, L 119).
Privacy Policy: this document.
Pseudonymised data: Personal data that can no longer be linked to a specific data subject without the use of additional data. These additional data are stored in such a way that they cannot be linked to an identifiable person.
Article 3. How do we obtain the data?
Personal data originate from or are derived from data provided orally and in writing by the Data Subject or their legal representative. Personal data may also be provided by the health insurer, the general practitioner, other practitioners, specialists,
care providers or persons or institutions other than those mentioned above.

Article 4. How and why do we process data?
1. Processing is carried out in a manner that is lawful, fair and transparent in relation to the Data Subject. In addition, Personal Data is collected for specific, explicit and legitimate purposes. Processing is not carried out in a manner that is incompatible with those purposes.
2. Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is not considered to be incompatible with the original purposes.
3. Processing is only lawful if and to the extent that at least one of the following conditions is met:
a. Consent of the Data Subject;
b. Entering into and performing a treatment (agreement);
c. Safeguarding a vital interest of the Data Subject, such as emergencies;
d. Protecting a legitimate interest of the Controller or of a third party (for example business continuity);
e. Necessity to comply with a legal obligation or an agreement with the Data Subject.
4. Personal Data will only be Processed to the extent that, given the purposes for which they are Processed, they are adequate, relevant and limited to what is necessary.
5. The dental practice processes Personal Data for the following purposes:
a. Treatment of the Data Subject;
b. Informing and contacting Data Subject(s);
c. Financial administration;
d. Proper functioning of the website.

Article 5. Conditions for consent
1. The Controller can demonstrate that the Data Subject has given consent to the Processing.
2. The Data Subject can withdraw consent at any time.

Article 6. Other data
Anonymized data do not fall under the scope of this Privacy Policy.

Article 7. What data is involved?
Processing may relate to the following categories of data:
a. Surname, first names, initials, title, gender, date of birth, address, postcode, place of residence, telephone number and similar data required for communication, as well as payment details of the Data Subject;
b. An administrative number that does not contain any information other than that referred to under a;
c. Data referred to under a, of the parents, guardians or carers of minor Data Subjects;
d. Data referred to under a of the family members or relatives of the Data Subject as well as others who are informed about the Data Subject’s well-being and health;
e. Information about the Data Subject’s state of health and, in the event of hereditary conditions, his or her family members and relatives;
f. Other special Personal Data with a view to the proper treatment or care of the Data Subject;
g. Information about the treatment followed and to be followed by the Data Subject as well as the medicines or facilities provided;
h. Information about the calculation, recording and collection of compensation;
i. Information about the Data Subject’s insurance;
j. Other data necessary for the treatment.

Article 8. Information obligation
1. Before the Controller Processes Personal Data, he shall inform the Data Subject and/or his/her legal representative:
a. Who is responsible for the processing with contact details;
b. Why certain, specific Personal Data will be Processed;
c. Where applicable, the contact details of the data protection officer;
d. How the Personal Data will be Processed;
e. The period for which the Personal Data will be stored, or, if that is not possible, the criteria for determining that period;
f. Any other information that must be provided for the sake of due care. This also means: The more sensitive the Personal Data that the Controller wishes to Process, the more thorough the information must be provided. 2. If Personal Data are requested via a third party, or are supplied to a third party, the information obligation shall be complied with in the same way, before the Personal Data are obtained or supplied, unless this can only be done
with disproportionate effort .

Article 9. Right of access
1. The Data Subject has the right to access his/her Personal Data and may request the following information:
a. A description of the purpose or purposes of the Processing of Personal Data;
b. All available information regarding the origin of the Personal Data;
c. The categories of data to which the Processing relates;
d. An overview of recipients or categories of recipients who have received the Personal Data;
e. Where possible, the period for which the Personal Data will be stored, or if that is not possible, the criteria used to determine that period;
f. That the Data Subject has the right to rectification, the right to erasure and the right to restriction of processing.
2. A request for access may be refused on the following grounds:
a. The applicant is not a Data Subject or his/her request does not relate to data that only relate to the applicant;
b. The applicant has not yet reached the age of 16 and/or has been placed under guardianship.
In that case, only the legal representative may make the request;
c. The Controller has already recently responded to a similar request from the same applicant;
d. Protection of the Data Subject or of the rights and freedoms of others;
e. For reasons of national security, and/or the prevention, detection or prosecution of criminal offences.

Article 10. Other rights
1. The Data Subject has the right to object at any time to the Processing of Personal Data concerning him. In the event of an objection, the Processing shall be stopped by the Controller.
2. The Data Subject has the right to obtain from the Controller without undue delay the rectification of inaccurate Personal Data concerning him.
3. The Data Subject has the right to obtain from the Controller the erasure of Personal Data concerning him without undue delay.
In addition, the Controller is obliged to erase data without undue delay where the Data Subject has withdrawn his consent or where the Controller no longer needs the Personal Data for the purposes for which they were collected.
4. If the accuracy of the Personal Data is contested by the Data Subject, the Controller has the right to obtain from the Controller the restriction of the Processing.
5. The Data Subject has the right to receive the Personal Data concerning him, which he has provided to the Controller, in a structured, commonly used and machine-readable format.

Article 11. The exercise of rights by the Data Subject
The Controller shall take appropriate measures to ensure that the Data Subject receives the communication or information concerning the rights as described in this Privacy Policy in a concise, transparent and accessible manner and in clear terms.

Article 12. Access to and recipients of Personal Data
1. In principle, only those who are directly involved in the performance of the treatment of the Data Subject have access to Personal Data, to the extent that such access is necessary for their work.
2. When Processing is carried out on behalf of the Controller, the Controller will only use Processors who provide sufficient guarantees that the Personal Data are Processed in accordance with the Regulation, the Implementation Act or regulations based thereon.
3. In addition, the following persons and bodies may be granted access/Personal Data may be provided:
a. Researchers as referred to in Article 7:458 of the Dutch Civil Code;
b. Health insurers to the extent necessary with a view to the obligations arising from the insurance contract;
c. Third parties charged with collecting claims to the extent that access/provision is necessary and does not concern medical data;
d. Others, when the basis for the Processed data is:
(i) Consent of the Data Subject;
(ii) A necessity to comply with a legal obligation;
(iii) Safeguarding the vital interests of the Data Subject.
e. Others, where the further Processing is for historical, statistical or scientific purposes, if the Controller has taken the necessary measures to ensure that further Processing is solely for such purposes.

Article 13. Register
The Controller shall maintain a register of processing activities under its responsibility. This register shall contain the following information:
a. The name and contact details of the Controller and, if applicable, of the data protection officer;
b. The purposes of the Processing;
c. The categories of data to which the Processing relates;
d. The categories of recipients to whom the Personal Data are disclosed;
e. Where possible, the envisaged period by which the Personal Data must be erased;
f. Where possible, a description of the technical and organisational measures taken.

Article 14. Breach notification
1. If a breach has occurred in connection with Personal Data, the Controller shall – if and to the extent legally required – notify the Data Subject and the Dutch Data Protection Authority of this as soon as possible after becoming aware of it.
2. The notification referred to in the first paragraph shall contain at least:
a. The nature of the breach;
b. The likely consequences of the breach;
c. The measures taken by the Controller as a result of the breach;
d. A contact point for more information.

Article 15. Retention periods
1. Medical data obtained to enter into or fulfil a treatment agreement will be retained for 20 years. The Controller is not obliged to longer retention periods than required by law, in particular Article 7:454 paragraph 3 of the Dutch Civil Code.
2. Other Personal Data will not be retained for longer than is necessary for the purposes for which they were Processed. If such Personal Data are no longer required, they will be deleted.

Article 16. Confidentiality
1. The Controller, the Processor and anyone who has access to Personal Data under the authority of the Controller are obliged to maintain the confidentiality of the Personal Data.
2. Data relating to the health of the Data Subject(s) are considered ‘special Personal Data’. For the Processing of special Personal Data, everyone who Processes them has a duty of confidentiality. This arises from the office, profession or employment contract of that person.

Article 17. Security
1. The Controller must ensure appropriate technical and organizational measures to protect Personal Data.
2. ‘Appropriate’ means that the security measures taken are appropriate to the risk that the Personal Data are Processed carelessly or unlawfully (further) and the damage that may result from this. The measures taken must ensure that:
a. Only authorized persons have access to Personal Data;
b. The Personal Data are correct and are not lost;
c. The Personal Data are available without hindrance for lawful Processing in accordance with the agreements within the organization.
3. In all cases, the Controller is responsible for the information security policy and implements this policy within the dental practice.

Article 18. Website
1. The website of Instituut Marie uses cookies. Cookies are small text files that are sent by a website to the browser, after which the browser stores this data. During a subsequent visit to the website, the stored data is sent back to the website by the browser. Cookies come in all shapes and sizes. Instituut Marie Tandartsen uses technical cookies, analytical cookies and marketing cookies. Below we explain what these cookies are used for.

Technical cookies
Technical cookies are necessary for the website to function properly. These cookies are necessary to ensure that you have an optimal user experience. No personal data is processed when using technical cookies.

Analytical cookies
Analytical cookies are used to collect information about how website visitors use and experience our website. This information allows us to optimize the website, monitor the operation of the website and improve the user experience.
No personal data is processed when using analytical cookies.

Marketing cookies
Marketing cookies, also known as tracking cookies, are used to track the surfing behavior of website visitors across the internet. When you have given permission for this, we place tracking cookies in order to be able to present personalized offers and discount campaigns
via various online channels.

You give permission for this processing when you place a check mark using the cookie notification. At any time, you can change your preference via the cookie settings on the website. Instituut Marie Tandartsen takes appropriate technical and organizational security measures to protect personal data against loss or any form of unlawful processing. These measures are aimed at achieving an appropriate level of protection, given the risks involved in the processing and the nature of the data to be protected.
2. Retention period of data via the website
Instituut Marie Tandartsen does not store your data for longer than is necessary for the realization of the purposes for which the data was collected, with a maximum duration of 2 years.
3. Management and access to the personal data of third parties Except for statutory provisions in laws and regulations, only those who are responsible for managing the client file and/or those who are connected to the processing of personal data or who are necessarily involved in this, including employees and processors of Instituut Marie Tandartsen,
have access to the personal data .

Instituut Marie uses the following online tools:
• Google Analytics
• Mailchimp
• Instagram

These online tools are used, among other things, to analyze the surfing behavior of website visitors, to collect website statistics and to send newsletters. The above parties, such as Facebook, have their own privacy statement and bear their own
responsibility for this.

Article 19. Final provisions
1. The Controller shall not accept any obligations other than those to which it is bound by law, unless otherwise agreed in writing with the Data Subject.
2. The Data Subject has the right to file a complaint with the supervisory authority.
3. Amendments to this Privacy Policy shall be made by the Controller. The amendments to the Privacy Policy shall enter into force with respect to the Data Subject(s) after the Data Subject(s) have been informed of the amendment.
4. This Privacy Policy entered into force on 1 September 2024 and can be viewed at the dental practice.

For questions or to exercise the rights of the Data Subject, you can contact us via:
Amsterdam
laylaajedday.com

info@laylaajedday.nl