Privacy statement Erasmus MC

When you register as a patient with Erasmus MC, we process various personal data, including your name, address, date of birth, and your BSN (your citizen service number). We use this data to be able to contact you, for identification purposes and for the purpose of your treatment. By the processing of personal data we mean that we will register, consult, and store your personal data, and possibly will share your data when necessary, such as with other care providers from other healthcare institutions. 

Are you the patient’s contact person or legal representative?

If you are the contact person or legal representative of one of our patients, we will register a limited amount of your personal data in the patient’s file, such as your name, your relationship to the patient and your telephone number. We need this information to be able to contact you with information about the patient. For example to inform you that the patient’s operation has been successful.  Registering your name and contact details means we process your personal data.

Erasmus MC needs your personal data to provide you with the best possible care. The purposes for processing your personal data include:

• Treatment and other services: We use your data for diagnostics, treatment, aftercare and data exchange with referrers, general practitioners and other healthcare providers. We also use your personal information to talk to you, answer questions, and send you invitations or reminders for appointments. We store this information in your patient file. This file contains your health situation for example, what you tell your doctor, test results, diagnoses and treatment plans.
• Identification: We need your personal data to be able to identify you and to ensure that you are not mistaken for another patient. We register among other things, your citizen service number (in Dutch: BSN) to be able to identify you. This is important so that we can provide you with the right treatment and store all the information relating to your treatment in your patient file. In some cases we may ask you for a copy of your ID, for example with your written request for a copy of your medical file. 

• Legal obligations: Sometimes we process personal data so that we can comply with various legal obligations, such as creating a medical record and reporting certain infectious diseases. We are also obligated to share data with your health insurer and the Healthcare and Youth Inspectorate (in Dutch: IGJ). We also have to provide data to national quality registries, but this data cannot be directly traced back to individual patients.
• Protection of legitimate interests: In certain situations we may process personal data because it is in our interest as Erasmus MC. This is a consideration that Erasmus MC makes, for which it looks at the goal it achieves with the processing of data, but also looks critically at the invasion of privacy it will cause for our patient(s). We will always check whether the goal cannot be achieved in another way, without infringing on your privacy. For example, we may use personal data for quality research or to handle your complaints. In addition, we can use data to contact former patients, but also for camera surveillance to protect your safety and health as a patient, and that of our visitors, employees and students.
• Scientific research: Erasmus MC is an academic hospital. This means that at Erasmus MC we not only perform medical treatments, but also conduct scientific research. We conduct this research in order to develop better care and treatments. If you are eligible to participate in scientific research, you will be extensively informed about this by your treating physician and your consent will be asked.

Sometimes we can use medical data and body material for medical research without your consent, if certain conditions are met. We then use data and / or material samples that we have already collected for your care in the hospital. If you object to this use, you can let us know. More information about scientific research with your data or body material and the option to object against this, can be found under the heading ‘ participants in medical scientific research’ and in this patient information brochure

Erasmus MC observes the following principles for processing personal data:

• Lawful, fair and transparent: We process your data lawfully, fairly and transparently. Lawful means that there must be a legal basis for the processing of your personal data. For you as a patient, this legal basis often is the treatment agreement that you have concluded with Erasmus MC. Proper and transparent means that processing is done in a responsible manner and that we make it clear to data subjects to what extent and in what way their personal data are processed. Information and communication about this must be easily accessible and understandable.
• Limited data processing: We only use the personal data we need for specific purposes, such as your treatment, identification, legal obligations or the handling of complaints.
• Limited retention periods: We do not store your data longer than necessary. Different types of data have different retention periods. We keep medical records for at least 20 years after your treatment. Certain data, such as discharge letters, surgery reports and test results, are retained for 115 years from your date of birth, as this is legally required for a university medical center.
• Accuracy: We strive for correct processing of your personal data. For example, Erasmus MC takes measures to ensure as much as possible that your personal data is and remains correct and up to date.
• Limited access: Only employees involved in your treatment have access to your personal data. These may include doctors, nurses, administrative staff and others, such as the receptionist who makes an appointment for you, or the healthcare administration employee who ensures that we can submit the bill for your care to your health insurer. Our employees only have access to the data which are necessary for fulfilling their task.
• Confidentiality: All employees involved have a duty of confidentiality and will not share your data with others unless this is legally or medically necessary. If we do want to share your information, we will obtain your consent, except in exceptional situations where a conflict of duties applies. In a number of cases we are legally obliged to share your data with others, for example with your health insurer and the Healthcare and Youth Inspectorate (in Dutch: IGJ). See the brochure about rights and obligations at Erasmus MC for more information.
• External parties: To facilitate good care, scientific research and education, Erasmus MC uses various systems in which personal data are processed. Consider, for example, the electronic patient file (in Dutch: EPD) system. Certain systems belong to Erasmus MC and are also managed by us, but systems and services from external parties are also used. These parties are called 'processors'. These are external parties who support us in our work and with whom we have made agreements about the protection of your personal data. We may send data to a party in a country outside the European Economic Area (EEA), for example for scientific research. In that case, we have contracts with that party to ensure that your data is safe and that they handle it properly.

The GDPR contains various rights that data subjects have to maintain control over their personal data. When someone uses these rights, we speak of a request from a data subject. As a patient, the following rights are relevant with regard to the personal data Erasmus MC processes about you:

• Right to access and obtain a copy of your medical file: You can view your personal data and complete patient file. You can view a lot of data yourself via our digital patient portal 'Mijn Erasmus MC' (My Erasmus MC) and via the Digitaal Verbonden (Digital Connected) app. If this is not enough, you can ask your physician for access to your medical file. The physician may protect certain parts of your file, such as personal notes.
• Right to access medical file consultations: As a (former) patient you have the right to request information about the consultations of your medical file. You can use the request form to request logging information for yourself, your minor child, or for a patient you represent. Logging data provides insight into, among other things, which (category) Erasmus MC employees have consulted your medical file, in which (among others) department they work, but also when the file was viewed. In principle, your request will be processed within one month.

You can also ask for a copy of your medical file. On the page 'accessing your medical records' you can read what you need to do to request a copy of your patient file.

• Right to correction: If you want to have data changed or something added to your file, you can indicate this to your doctor. You cannot change diagnoses, but you can add your own view. If your details are incorrect, for example if you have moved house, you can change this yourself in the patient portal or ask for correction at the registration desk.
• Right to destruction: You can request us to have (part of) your medical records destroyed. Erasmus MC does not have to comply with a request for destruction if we have another interest in retaining a file, for example because we are legally obliged to keep your data. We will explain to you the reason if your request is rejected. View the page about the medical records for information on how to request (partial) destruction.
• Right to data portability: If we process digital data about you, you can request to receive the data in digital form so that you can take the data with you and possibly transfer it to another hospital or another healthcare provider. The right to portability only applies to data that you yourself provide to Erasmus MC, such as data from your pacemaker or blood pressure monitor. It does not apply to the information that your doctor records, such as suppositions, diagnoses and treatment plans. If you wish to receive certain digital data, you can indicate this to your treating physician.
• Right to object: If we process your data because of a legitimate interest (for example to carry out a qualitative research) or to carry out a task of public interest (for example to carry out scientific research) and you prefer us not to do this, you can object to this data processing with your treating physician.

N.B. You cannot object to the creation of your patient file. We are legally obliged to create a file in order to be able to treat you.

We hope to have informed you sufficiently with this Privacy Statement, but we are ready to serve you well and answer any questions you may have. If you have any questions about your privacy at Erasmus MC, you can contact our Data Protection Officer (DPO). The DPO is independent and monitors the way in which Erasmus MC handles your privacy. You can reach the DPO via: functionaris.gegevensbescherming@erasmusmc.nl or telephone +31 10 703 49 86.

Are you not satisfied with the way we handle your privacy? In that case you can file a complaint to the Dutch Data Protection Authority. See the website of the Dutch Data Protection Authority how to do this. You can also telephone the Authority on 088-1805250.

Erasmus MC is an academic hospital. This means that at Erasmus MC we not only carry out medical treatments, but also conduct medical research to develop better care and treatments for diseases. This will help patients in the future.

We ask your consent for medical research, for example if we want to collect extra blood samples from you specifically for medical research. The Medical Ethics Assessment Committee (in Dutch: METC) reviews all research to be sure that the research is good and safe. Your treating physician will tell you all about the research, for example about its purpose, the benefits and disadvantages, and about how stressful it is for you.

In some cases we want to conduct medical research with medical data and tissue samples, such as blood, that we obtained during your treatment. This happens often not until after your treatment has finished, for example because of new discoveries. We usually ask for your consent first, but if that is not possible or difficult to obtain, we take care that your privacy and your health are protected. Researchers must keep your data secret. If you prefer your data not to be used for this purpose, you can object to such use with your treating physician. See for more information the brochure about secondary use of medical data (in Dutch).

Erasmus MC observes the following principles for conducting medical research:

• Anonymous or pseudonymous data: We use anonymised or pseudonymised data as much as possible. Which means that your data can no longer be traced (directly) back to you. For example, the data are stored under a code. Only the researchers can link that code to your identity.
• Restricted data processing: We will only use the data that we need for the specific medical scientific purpose for which you have given your consent in the consent form.
• Limited retention period: We do not keep your data longer than necessary. Research data is usually kept for at least 15 years in order to be able to check the reliability of the research later.
• Limited access: Your personal data can only be accessed by persons involved in the medical research that you are participating in. Your treating physician has no access to your research data if this person is not also the researcher conducting the study.
• Confidentiality: All those involved in the medical research that you are participating in are required to observe confidentiality and may only share your data with others if you have given your consent to do so on the consent form.
• Third parties: Erasmus MC sometimes engages the help of a third party for certain parts of the study (such as analyzing the research data). We ensure that these parties handle your data confidentially and carefully through agreements that we lay down in a contract.
• International transfers: If we transfer your personal data to a third party outside the European Economic Area, for example to a hospital in the United States, Erasmus MC makes agreements with these parties to protect your data, even outside European legislation.

These are the most important principles we follow as we process your data for scientific research.

As a patient and/or participant in a study, you have the following rights with regard to the personal data that Erasmus MC processes about you:

• The right to access and copy: If you participate in scientific medical research, you can view your research data and request a copy of it. This can include data from your patient record, as well as specific research data, such as questionnaires. You can always ask the researcher during the research study for access, copies and an explanation of how your data has been used.
• Right to rectification: If we have processed your personal data and it is inaccurate, you can ask for it to be corrected. For example, in the event you have moved house or in case of incorrect registration. Please inform the researcher mentioned in the consent form of the corrections.
• Right to object: If your data is processed on the grounds of legitimate interest (for example quality research) or for the public interest (such as scientific research) and you do not agree to this, you can object with your treating physician. This is only possible for research for which permission has not been requested.
• Right of withdrawal: if you have previously given consent for scientific research, you can withdraw this consent according to the instructions in the consent form. Please contact the investigator in the form.
• Right to destruction: If you wish to have personal data destroyed, that are collected for scientific research, you can address this request to the researcher mentioned in the consent form. Research data is often stored for 15 years, in order to be able to check the research afterwards. This means that you cannot always have your personal data deleted immediately, but if you have given permission for your data to be stored in a database or biobank for future scientific research, you can request for your data to be removed from these.

These are your privacy rights as a research participant. They help you stay in control of your data and how your data is used.

We are here committed to serve you well and to protect your data. If you have any questions about your privacy at Erasmus MC, you can contact our Data Protection Officer (DPO). The DPO is independent and supervises the way in which Erasmus MC deals with your privacy. You can contact the Data Protection Officer by email: functionaris.gegevensbescherming@erasmusmc.nl or by phone +31 10 703 49 86.

Do you have a complaint about a scientific study in which you are participating and for which you have given permission? Then you can also first contact the principal investigator. You can find the contact details in the information leaflet about the study and in the consent form.

Are you not satisfied with the way we handle your privacy? Then you can submit a complaint to the privacy regulator, the Dutch Data Protection Authority. See the website of the Dutch Data Protection Authority how to do this. You can also contact the regulator by telephone on 088-1805250.

Erasmus MC handles all personal data with care. Also if you apply for a job with us, we will treat your data confidentially. If you apply for a job with us, we will ask for your CV and a cover letter in addition to your personal details. This is done by means of the application form on the website.

We will only use this data for our own recruitment and selection purposes. We do not provide your data to third parties, unless there is a legal obligation or if we have agreed with each other to do so. If we do not enter into an employment relationship with each other, your data will be deleted no later than 12 weeks after the end of the application procedure. However, you can give permission for your data to be stored for a longer period of time, up to a maximum of two years after the end of the application procedure. This way we can approach you again for career events or if a suitable position may become available for you later.

See the EUR website for the privacy statement for students.

See Agora, the intranet of Erasmus MC for the our privacy statement for employees.

Erasmus MC has a public website (www.erasmusmc.nl). Erasmus MC uses so-called 'cookies' to collect and analyze information about the use of the website. These are small files that are sent along with web pages and stored by your browser. When you visit our website, we process data from your visit. We use this data for statistical purposes. For example, to be able to see how often a website is visited, which website(s) visitors come from and which pages on a website are visited.

The cookies we use have no impact on your privacy. We do not collect any personal data. Because we meet all the conditions (for example, we do not collect data for advertising functions and we do not share data with Google or other third parties), we do not need to ask your permission to place our analytical cookies. You can read more about this in our cookie policy.