Why a privacy statement?
In this privacy statement, we explain how we handle and protect your personal information (also called ‘personal data’). We do this by answering the following questions:
- for what purposes does ONVZ use your personal data?
- how long does ONVZ keep your personal data?
- what are your rights?
- how can you exercise your rights?
- how do we protect your personal data?
- how can you contact ONVZ with questions about this privacy statement?
Health insurers have collectively agreed a number of rules of conduct concerning how they process personal data. These have been set out in the Gedragscode Verwerking Persoonsgegevens Zorgverzekeraars. You can find the text of this Code of Conduct (in Dutch) here. This privacy statement is also in compliance with the provisions of this Code of Conduct.
What information is covered by this privacy statement?
This privacy statement applies to ONVZ Ziektekostenverzekeraar N.V. and ONVZ Aanvullende Verzekering N.V., which in this privacy statement we will refer to jointly as 'ONVZ', 'we', 'us' and 'our'. This means that this privacy statement applies both to the basic health-care plan and to all the supplementary health-care plans offered by ONVZ.
The term 'personal information' is a key phrase in this privacy statement. We may also refer to this as 'personal data' or 'personal details'; in all cases this means information that relates to you personally or that says something about your personal situation. This could be the details on a bill that includes your name, date of birth, and address, as well as the treatment you have had. Because the bill includes your name, the further information on the bill is clearly about you personally. There are cases, however, where the information is not directly about you, but can, with some effort, be traced back to you. This could be a bill that does not state your name but does show your address and date of birth, for example. This is then still considered personal information.
Where information relating only to a business is not considered personal data, the information relating to that company's employees or customers is.
For what purposes does ONVZ use your personal data?
You are insured by ONVZ for your basic health-care, for supplementary health-care, or for both. ONVZ can only administer your policy or policies if we can process your personal information. We also provide the specifics of this under number 55 to 60 (inclusive) of our General Rules and Regulations.
Your personal information is used in 4 situations:
- you want to be insured with ONVZ
- you are insured with ONVZ
- ONVZ wants to inform you about something (marketing)
- you are a business partner of ONVZ
Below, we explain further how we use your personal information.
If, after reading this privacy statement, you have any questions, or if you wish to submit a complaint, you can always contact ONVZ directly.
If you disagree with an automated or manual decision we have made, you can always lodge a complaint with ONVZ. You can read how to do this at the bottom of this page.
In administering your policy or policies, ONVZ may use the services of third parties. These services may involve the processing of your personal data. ONVZ remains responsible at all times for the use of your personal data and how your personal data are processed by third parties.
1. You want to be insured with ONVZ
When you apply for insurance with ONVZ, ONVZ assesses whether that is possible, depending in part on whether you are applying for the basic health-care plan or one of our supplementary health-care plans.
The Zorgverzekeringswet states who is obliged to take out basic health-care insurance, i.e. who has an 'insurance obligation'. You can only take out basic health-care insurance with us if you have this insurance obligation. ONVZ needs to be able to establish that you are obliged to have this insurance, and to do so ONVZ uses the personal information you entered on the application form or provided ONVZ with later.
Most of our supplementary health-care policies can be taken out without additional checks. However, for some of the supplementary policies ONVZ will ask you health-related questions, and whether you will be accepted for the policy depends on the answers you provide. ONVZ needs to check the information you provide when answering these questions. This may only be done by ONVZ staff who work under the responsibility of the medical adviser. This is how we ensure the confidentiality of your medical information.
If you have been accepted for the basic health-care plan or one or more of our supplementary health-care plans, ONVZ uses your details to prepare your policy and send this to you. If your application for the basic health-care plan or one of our supplementary health-care plans has been rejected, ONVZ uses your details to inform you of this and (possibly) to offer you a different insurance policy.
When you request or take out insurance with ONVZ, we record certain of your personal details, such as your citizen service number ('BSN'), for our files. As a health insurer, ONVZ is required to record this number. Your citizen service number is only used in the manner prescribed by law. In addition to recording this in our files, your citizen service number is used, for example, in our contact with health-care providers you have visited.
Automated assessment and acceptance
ONVZ does not assess every application manually, nor do we send out every acceptance or rejection letter by hand. Most applications can be assessed and accepted automatically. If something is unclear on your form or has not been filled in, the automated system will not be able to process your application and it will be passed on to ONVZ staff for assessment.
2. You are insured with ONVZ
When you are insured with ONVZ, we use your personal information to administer your policy or policies; this is simply necessary. ONVZ needs to use your personal information in any case to:
- determine whether you are entitled to receive health-care, or to reimbursement of the costs of health-care
- pay the bills submitted to us by health-care providers
- pay claims you submit to us
- collect the premium due
- determine the amount of the personal contributions and excess
- carry out checks
- prevent and detect fraud. ONVZ has an internal fraud registration system for example
- recover damages from third parties
- investigate claimed health-care, and monitor the quality of the health-care provided
- improve our services
- provide individual or groups of insured persons with relevant information
- prevent payment arrears
- handle complaints and disputes
- manage risk, in terms of health-care expenditures for example
- conclude contracts with health-care providers (we call this 'health-care procurement').
Automated use of your information
Above, we have described a number of the activities ONVZ carries out as a health insurer. ONVZ carries out some of these activities in full or in part using an automated system. This happens, for example, when you submit a claim to ONVZ and we process this, or when ONVZ carries out certain checks on your claim (and the accompanying bill). When you request permission from ONVZ for certain health-care, or receive information from us, ONVZ handles this, in part, automatically.
Information concerning your health
This information (formally called 'medical data') is of a more sensitive nature than your name, address and date of birth, for example. It’s sometimes necessary to process this sensitive information to determine whether you are entitled to reimbursement of the costs of health-care for example. It may also be used, for example, to check your health-care claims, in a fraud investigation, to recover damages from a third party, for health-care procurement and/or for risk management purposes.
ONVZ handles your medical data with extra care: ONVZ only allows the medical adviser, or ONVZ employees working directly under the responsibility of the medical adviser, to process and use your medical data. The medical adviser has a duty of confidentiality that extends to your medical data. This is set down by law. Every employee who works under the responsibility of the medical adviser has the same duty of confidentiality. This has been agreed with them. ONVZ refers to the medical advisers and the staff working under them as ‘the functional unit’.
The stated above does not extend to activities of a strictly administrative nature, such as processing claims from health-care providers or forwarding and digitising letters received by post. We have of course made confidentiality arrangements with our claims handling staff and the staff of the company we use to digitise print correspondence, as well as with our other employees and those of companies we contract to carry out activities that involve processing your personal data.
ONVZ has a number of medical advisers, such as our allied health professional to advise us on physiotherapy, our dental adviser for dental care, a mental health-carepsychologist for general basic mental health-care, and a number of other advisers for other types of health-care, such as hospital care and GP care. All ONVZ medical advisers are listed in the register maintained in compliance with the Wet op de beroepen in de individuele gezondheidszorg, known as the 'BIG register'.
Exchanging information with third parties
ONVZ will occasionally receive your personal information from other parties, but only when required. We may receive your personal information from:
- health-care provider with whom ONVZ has a contract and who is treating you. The health-care provider then sends the bill directly to ONVZ
- your employer, or another organisation if you are part of a group that has a group policy with us. In these situations, ONVZ will only receive such details from your employer or the other organisation required to check whether you are still entitled to insurance under the group policy and to the related discount
- administrators of the Basisregistratie Personen, when this is needed to check whether you are still entitled to be insured under the basic health-care plan
- the Dutch Central Administration Office (CAK), if you have not taken out at least basic health-care insurance while you are required to do so by law. If, after being notified, you still fail to take out insurance, CAK will take this out for you, through ONVZ for example
ONVZ will occasionally provide other parties with your personal information, but only when this is required. We may provide your personal information to:
- university medical centres or research agencies for the purpose of scientific research or statistics. ONVZ will only provide these organisations with your personal data if the research cannot be done using anonymised data and if the research is in the public interest and if it was impossible or too difficult to get your consent for this
- the administrators of the Extern Verwijzingsregister (external reference register). If ONVZ has a well-founded suspicion of fraud, we are entitled to inform other health insurers of this. Fraud includes things like falsifying bills, skimming, phishing, identity fraud, embezzlement at work, and wilful deception. We inform other insurers of this by including referral data of the person concerned in this register. This is not a public register: a protocol determines who has access to it and under what circumstances
- to the Zorgkantoor regional care administration office for the purpose of administering your policy. This is to coordinate the reimbursement of health-care costs under your basic health-care policy or under the ‘Wlz’ (Long-term Care Act) scheme in order to ensure that the same costs are not reimbursed twice
- health-care providers, if you ask us to help you find a different provider (or simply a provider), for example because the provider you would prefer to use has a long waiting list
In certain situations, ONVZ is obliged to provide your personal information to a third party, i.e. to:
- the Dutch Central Administration Office (CAK) if you are entitled to receive compensation for the mandatory excess. The details provided would be your citizen service number (‘BSN’) and your bank account number
- the local authorities for the municipality in which you live, for the purpose of preventing and reducing debt
- to supervisory bodies such as the Nederlandse Zorgautoriteit or Autoriteit Persoonsgegevens to enable them to carry out their supervisory task
3. ONVZ wants to inform you (marketing)
ONVZ also uses your personal details to inform you about products and services other than the insurance you have taken out with ONVZ. Sometimes ONVZ sends this information to all its policyholders or business partners, and sometimes just to a selection of these. ONVZ will never base its selection on information concerning your health or finances: the selection is made based on criteria such as your address and age.
4. You are a business partner of ONVZ
Are you an ONVZ business partner (employer, insurance agent or health-care provider)? Then ONVZ will use your data to inform you about our products and services. You can also read more about this in section 3. ONVZ wants to inform you (marketing).
In addition, we require your data in the following situations:
- take out and manage collective contracts (employers and insurance agents), for example via our online portals
- take out and manage health-care agreements
- pay the bills submitted to us by health-care providers
- perform regular control checks
- prevent and detect fraud (ONVZ has an internal fraud registration system for example)
- monitor the quality of health-care provided
- improve our services
- share important changes or other information relevant to you
- handle complaints and disputes
- manage risk, in terms of health-care expenditures for example
Data from your employees, relations or clients
Do your employees, relations or clients have an ONVZ health-care plan? Then we need their details to carry out their insurance policies. We receive this information directly from the insured person. You can read more about this in section 2. You are insured with ONVZ or 3. ONVZ wants to inform you (marketing).
Additionally, we solely receive information from employers about the employment and resignation of its employees (and associated information).
How long does ONVZ keep your personal data?
The period over which we are required to keep personal data is sometimes set down by law or regulation, but sometimes not. ONVZ keeps your personal data for as long as required or needed. How long that is depends on why ONVZ was provided your personal information and why it needs to retain it.
Below, we explain which rules apply in which situations.
The main rule: seven years
The main rule is that ONVZ retains your information for seven years from the date your insurance with ONVZ ends. This retention period is prescribed under the Zorgverzekeringswet and several other laws and regulations (such as tax law).
There are a number of exceptions to the seven-year rule, which we explain below.
- Insurance not taken out ONVZ retains your information for a period of one year if you apply for insurance with ONVZ but do not take it out, because you changed your mind for example, or because you did not qualify for the insurance. If you reapply for the same insurance a year later, ONVZ will use the previously provided information to assess your new application. ONVZ may also approach you during that year with interesting information about its insurance plans and services. ONVZ will not do this, however, if you have stated that you do not want to be approached.
- When your policy ends If your policy is not renewed, ONVZ will retain your information for a period of seven years as per the main rule. ONVZ may also approach you during the first two years of this seven-year period with interesting information about its insurance plans and services. ONVZ will not do this, however, if you have stated that you do not want to be approached.
- Investigation When ONVZ carries out an investigation, we retain the information as long as required to complete the investigation and secure our rights. This might, for example, involve investigating a health-care provider who treated you and where your personal details have been used. The investigation may reveal that the health-care provider will need to repay us for the bills submitted for your treatment. ONVZ then needs those details to arrange and secure the repayment.
- Fraud If we have carried out an investigation into fraud, we retain your information for eight years after the investigation has been closed. We do this in part to prevent future instances of fraud.
- Recording calls for training purposes When you call our Service Center we may possibly record your call and keep the recording for one month. This is done to help train employees and improve our services. The recorded calls are not used for any other purpose.
- Complaints and disputes If you submit a complaint or have a dispute with us, we retain your information for a period of two years from the date the complaint or dispute has been resolved.
What are your rights?
In our view, careful use of personal information also entails respecting your rights. In addition to being entitled to see which information we keep about you, you are also entitled to request that this be corrected (right to rectification), deleted (right to erasure) and/or transferred to another party (right to data portability), and you may ask us to restrict processing of this information (right to restriction of processing). You may also object to ONVZ processing your personal information altogether. You may, of course, withdraw consent you previously gave ONVZ for the processing of your personal information.
If you would like to make active use of one of the rights described above, you can send your request or objection to ONVZ’s Data Protection Officer. You can read how to do this at the bottom of this page.
In principle, we will respond to your request or objection within one month and explain the steps we have taken. If your request or objection is complex, however, this period can be extended by an additional two months, in which case we will inform you of this extension within one month of receiving your request.
If you are not satisfied with the way in which your request or objection has been handled, you may lodge a complaint with the Dutch Data Protection Authority (or with a comparable supervisory authority in any other EU Member State). You also have the right to apply to the court.
You can always ask what personal information ONVZ holds about you and the purposes for which we use this information. Through your personal 'MijnONVZ' page, we provide you secure access to much of the personal information ONVZ holds about you. After logging in, you can see the following information:
- your name and address details
- your insurance details
- the details of your excess and personal contributions
- details of your premium payments
- costs of the health-care you have received
You may wish to see other specific information however, in which case you can submit a request. In your request, please specify the personal information you would like to see.
ONVZ naturally wants to be sure that the information it holds about you is accurate. If you discover that information we hold about you is inaccurate or incomplete, you can ask us to rectify this. In your request, please specify which information needs to be rectified and why.
You can ask ONVZ to delete information it holds about you in the following situations:
- ONVZ no longer needs your personal information
- your personal information is being used with your consent, but you are now withdrawing that consent
- you have grounds to object to the use of your personal information
- ONVZ is not entitled to use your personal information
- ONVZ was already required by law to delete your personal information
- ONVZ is using your personal information for social media and you are withdrawing your consent for this
In your request, please specify the personal information you would like ONVZ to delete and why you feel that ONVZ should do this. If your request concerns information directly relating to your insurance, we will often not be able to comply with your request as ONVZ needs this information to administer your policy.
Restriction of processing
Does one of the following situations apply to you?
- you have asked for your information to be rectified and your request is being processed by ONVZ
- ONVZ is not entitled to use your personal information but you do not want your information erased either
- you have lodged an objection against the processing of your information by ONVZ and your objection is still being handled by ONVZ
In these situations, you may object to ONVZ processing your personal information, in which case ONVZ may only use your information:
- if you have authorised this
- to administer your insurance with ONVZ, so that you can remain insured and the claims under your insurance can be paid
- to establish, exercise, or defend a legal claim
- to protect the rights of another natural or legal person
- or for reasons of overriding public interest in the European Union or a Member State, when public health is at risk for example
In your request, please specify why ONVZ may not use your personal information. You can also include the request to restrict the processing of your personal information with your rectification request or your objection.
If your request is justified, ONVZ will restrict the processing of your personal information for as long as the situation that entitles you to request restriction, as stated above, persists. Your insurance plans will, of course, continue unaffected and you will have to continue paying the premium during the restriction period.
You may ask ONVZ to transfer the information it holds about you, either to another organisation, another person or persons, or to you personally. ONVZ can only comply with such a request if it processes your personal data by automatic means. If so, ONVZ will transmit the data to you in a structured, commonly used format that can be sent and opened via a computer, smartphone or tablet.
If you are switching to a different health-care provider, you can use the switch service, stating when you apply with your new insurer that you are switching from ONVZ. ONVZ will then send some of your personal data directly to your new health insurer, specifically the personal data needed for you to switch insurers and authorisations provided by ONVZ for the reimbursement of health-care costs. The latter is because your new health insurer will take over the authorisations for health-care covered under your health insurance plan.
You have the right to object to the processing of your personal information if this is on grounds relating to your particular situation and if the information is not being processed for the administration of your policy or policies. In your objection, please specify which personal information this concerns and the reason for your objection.
Changing or withdrawing consent
If ONVZ processes your personal information strictly with your consent, you may change or withdraw this consent at any time. Consent cannot be changed or withdrawn with retroactive effect however, meaning that this will not affect any processing operations already completed.
In your request, please specify what you would like to change or which consent you would like to withdraw.
Rights of children under the age of 16
If you are the policyholder and you have taken out basic health-care insurance for a child, you can also invoke the rights stated above on behalf of this child. If the child is 16 or older, however, special rules apply. In that case, you as policyholder only have access to and rights concerning certain information, i.e. the information you need to take out the basic health-care insurance and to receive sufficient insight into the bills that need to be paid. If you as policyholder request, for example, access to the personal information of a co-insured child who is not a minor, we may only provide you with the information stated above.
How does ONVZ protect your personal data?
To protect personal data, ONVZ has implemented and maintains security measures throughout the organisation. These measures, which involve the organisation, staff, processes, technology, and physical security of our offices in Houten for example, are set out in ONVZ’s security policy. This policy has been reviewed by our IT auditors, and the Dutch central bank DNB monitors the implementation of our security policy as well.
Our security measures have been derived from the internationally applicable standard for information security controls ISO/IEC 27002.
ONVZ also uses the services of third parties in activities that also involve processing your personal information. An example would be the company that digitises the correspondence we receive by post so that we can include this correspondence in our digital administration system. We have agreed with these third parties that process your personal information that they will maintain data security that is adequate for the type of personal information being processed and that they will always be able to demonstrate that they do so.
How to get in touch with ONVZ
If you have any questions about this privacy statement, you can contact ONVZ’s Data Protection Officer (Functionaris Gegevensbescherming) by sending an email to email@example.com or a letter to:
T.a.v. Functionaris Gegevensbescherming
3990 GD Houten
If you have a complaint regarding privacy, you can let us know using the contact form on our website. You can also always lodge your complaint with the Dutch Data Protection Authority via www.autoriteitpersoonsgegevens.nl or call them on 0900 200 1201.