Privacy

General

This privacy statement applies to all personal data that the IGJ requires from you and processes about you in the execution of its duties.

Responsibility

The IGJ operates under the Ministry of Health, Welfare and Sport (VWS). The Minister of VWS and the IGJ share responsibility for the processing of personal data.

Updating the privacy statement

Given the continuous evolution of privacy laws, regulations and practical implementations, this privacy statement is updated regularly.

What constitutes personal data and which types does IGJ process?

We process the following data:

• Personal data
• Special categories of personal data
• Police data

• Data provided by the Public Prosecution Service to ensure proper supervision (sensitive data)

Why do we process personal data?

The IGJ processes personal data for the following purposes: 

• Identifying the greatest risks in healthcare through supervision of institutions, professionals and producers in healthcare and youth care. Supervision is risk-based, meaning we investigate topics where we suspect something is amiss; 
• Conducting research on products and themes in healthcare, youth care, and public health supervision;
• Investigating, recording, and handling reports received about healthcare;
• Responding to and recording inquiries from citizens, healthcare providers, professionals, agencies and other organisations;
• Recording complaints from citizens about the quality of care; 
• Recording and handling complaints about the IGJ;
• Handling enforcement requests and recording them; 
• Implementing measures to ensure individuals and organisations comply with laws and other supervision standards, potentially imposing fines or indicating restrictions on professional roles based on disciplinary, administrative or criminal law; 
• Processing requests under the GDPR, Police Data Act and the Open Government Act.
• Our special investigating officers have a police task and we process the personal data they collect to execute their tasks and investigations in accordance with Sections 8 and 9 of the Police Data Act.

How do we handle personal data?

At the IGJ, it is paramount to process personal data in a lawful, fair and transparent manner, adhering to legal regulations. To ensure this, we implement necessary measures and follow specific principles.

Our general privacy principles

To process personal data, we abide by the following principles.

Lawfulness, fairness, and transparency

• We process data lawfully and based on legal grounds, utilising only personal data necessary for our supervision. Special categories of personal data are processed under strict conditions. 
• If consent was required to process specific personal data, we can demonstrate obtaining this consent and specify the information provided by the individual. The individual can withdraw this consent at any time.

Purpose limitation and data minimisation

We only process personal data necessary for our role as a supervisory authority, focusing on ensuring the safety and quality of healthcare and youth assistance. When processing personal data, we assess: 

• Does the purpose of processing justify the intrusion into the individual's privacy?
• Can we achieve our goal by processing fewer personal data?

Accuracy

Personal data are accurate and up-to-date.

Storage limitation

• We do not retain personal data longer than necessary. 
• Personal data is deleted when no longer needed for our purpose or is anonymised.

Confidentiality, Integrity and Availability’

We secure personal data and implement measures for a reliable, fair and careful handling of personal data. We do so in 3 ways:

• We treat personal data confidentially, with organisational agreements on who may process specific personal data. 
• Implementing appropriate technical and organisational security measures, following at least the guidelines and standards of the Dutch government for information security.
• We make agreements with external parties, such as software suppliers, regarding technical and organisational measures, and verify their compliance with these agreements.

How do we keep track of processed personal data?

We maintain a register of personal data: the GDPR register. You can view the GDPR register on the website of the Ministry of Health, Welfare and Sport.

The GDPR register includes the following information:

• How we process personal data.
• The purpose for processing personal data 
• The types of personal data processed.
• The duration of data retention.
• The category to which the person whose data is processed belongs (e.g., a health insurer or a physician).

When do we share your data?

The IGJ collaborates with other supervisory authorities and agencies. In some cases, we are authorised and sometimes obligated to provide data and information to other government institutions and agencies.

The supervisory authorities and agencies we work with include: 

• Dutch Healthcare Authority (NZa);
• National Institute for Public Health and the Environment (RIVM);
• Netherlands Authority for Consumers & Markets (ACM);
• Central Information Unit on Healthcare Professions (CIBG);
• Public Prosecution Service (OM).

We share information with these organisations responsibly, providing personal data only if we meet the following conditions:

• It is permitted by law;
• The other supervisory authority or agency requires the data to perform its duties.

The inspection informs the supervisory authority or agency about how we obtained the data.

Do we share your personal data across borders?

There are instances when we may transfer your personal data to other countries, but only when necessary to comply with the law. We distinguish between countries within the European Union (EU) and those outside the EU.

What are your rights?

The GDPR (called AVG in Dutch) and the Police Data Act (called Wpg in Dutch) empower you to assert your privacy rights when an organisation processes your data. You can also assert these rights with us if we handle your data. To do so, simply submit a request under the GDPR or Police Data Act. Here are the privacy rights you can assert:

1. Right of access
   You can inquire whether we process your personal data and why. You have the right to receive clear information about what we do with your personal data and the purpose behind it.
2. Right to rectification and completion
   This means that you have the right to ask us to modify or supplement the processed personal data.
3. Right to restriction of processing
   You have the right to request that we temporarily cease processing and modifying your personal data.
4. Right to erasure
   In specific situations, the ‘right to be forgotten’ requires us to erase your personal data.

Read on for more details on how to submit a request under the AVG (GDPR) or Wpg (Police Data Act) (page in Dutch).

Questions or complaints?

If you want to know more about how we handle personal data or if you have a complaint about our procedures, you can reach us at privacy@igj.nl. Additionally, you have the option to contact the Data Protection Officer or file a complaint with our complaints officer or the Dutch Data Protection Authority.

Data Protection Officer

The IGJ has a Data Protection Officer (DPO) who oversees the effective implementation of our privacy and security policies. The DPO is part of the Ministry of Health, Welfare and Sport.

If you have a question for the Data Protection Officer, you can send them an email.

You can also send a letter to the following address:
Functionaris voor de Gegevensbescherming (Data Protection Officer)
Ministry of Health, Welfare and Sport
Directorate of Administrative and Political Affairs
PO Box 20350
2500 EJ  THE HAGUE

Concerns About GDPR or Police Data Act Compliance?

If you believe we are not adhering to the GDPR or Police Data Act in processing your personal data, you are welcome to file a complaint (page in Dutch) with us. If you cannot resolve the issue with us, you can submit a complaint to the Dutch Data Protection Authority (AP), which will then handle and decide on your complaint.