This privacy statement applies to the processing of personal data by TWB, Thuiszorg West-Brabant, located at Belder 2, 4704 RK in Roosendaal, hereinafter referred to as TWB.

Processing of personal data by Thuiszorg West-Brabant

For TWB, the protection of personal data is very important. TWB respects your privacy and ensures that your personal data is always treated confidentially and in accordance with the applicable privacy legislation. TWB strives to safeguard the privacy of its clients, employees, partners and visitors as best as possible, whether it concerns recording or providing your data, or having a confidential conversation with your healthcare provider(s) or your manager.

TWB complies with the requirements of the General Data Protection Regulation (GDPR). That is why we find it important to provide you as a client and/or visitor with information about:

• the personal data that we process about you;
• the way we do that;
• the provision of data to others within or outside Europe;
• how long we keep your data and;
• how we secure this data;
• your rights as a data subject;
• who you can contact with questions, requests and complaints.

We ask that you read this information carefully.

Who is the privacy statement intended for?

Clients, employees, partners and visitors.

How we work

Obligation to provide data

You are required to provide the data requested by us if it is necessary for us to process that data. Below we explain why we need your data, for example to be able to enter into an agreement with you, to execute it and/or to comply with a legal obligation. If you do not want to provide the requested personal data, this may mean, for example, that we cannot take care of you or that we cannot enter into an employment contract with you.

The data we process from you

We only process the following data from you:

clients

• your name, first names, initials, gender, date of birth, address, postal code, city, telephone number and other data that we need to communicate with you, such as your e-mail address;
• your client number and policy number of your health insurer;
• your Citizen Service Number (BSN). Use of this number is mandatory to securely exchange data with the healthcare office, the health insurer, the government and other healthcare providers;
• your IBAN number (only when we charge you directly for costs incurred);
• data about your health. We use the data to determine, test, monitor and implement individual care and service provision;
• medication lists to provide insight into which medication you should have received and whether it was
  has actually been received;
• data that are important for the handling of a complaint by you or your contact person;
• data to get in touch with your contact person, such as name, telephone number and
  e-mail address;
• contact details of your GP, pharmacist and other healthcare providers;
• other data necessary for the performance of the healthcare agreement concluded between you and us or applicable legal provision.

The processing of the above data is only done for one or more of the following purposes:

• to be able to communicate with you;
• to be able to enter into a healthcare agreement with you;
• for determining, testing, monitoring and implementing individual care and service provision;
• to be able to exchange data securely with parties that contribute to providing you with good care;
• recording and declaring the care provided to you;
• administration of your client file;
• to invite you to participate in a customer satisfaction survey;
• the implementation of applicable legislation, such as the WGBO and the Wkkgz.

Applicants

• your name, first names, initials, title (if applicable), gender, date of birth, address, postal code,
  place of residence, telephone number and other information we need to be able to contact you
  communicate, such as your email address;
• information about training courses, courses and internships you have completed and will continue to complete;
• information about the position you are applying for;
• information about the nature and content of your current job, and information about the termination of
  that current job;
• information about the nature and content of previous jobs you have had and about the termination of
  those jobs;
• other data for the purpose of fulfilling the function, which have been provided by you or which you
  to be known;
• other data necessary for the implementation or application of a law.

The processing of the above data is only done for one or more of the following purposes:

• the assessment of your suitability for a position that is or may become available;
• internal control and corporate security;
• the ability to offer an employment contract;
• the implementation or application of a law.

Employees

We only process the following data from you in the personnel administration:

• your name, first names, initials, title (if applicable), gender, date of birth, address, postal code,
  place of residence, telephone number and other data we need to communicate with you,
  such as your email address;
• BSN, VOG, payroll tax, BIG, Hepatitis passport, registration in quality register(s), ID card,
  diplomas, evidence documents for determining anniversary dates;
• your IBAN number;
• data for the purpose of calculating, recording and paying your salary, allowances and
  other sums of money and rewards in kind to you or for your benefit;
• an administrative number that does not contain any information other than that referred to in the first bullet point;
• your nationality and place of birth;
• information about training courses, courses and internships you have completed and will continue to complete;
• information about your position or your former position and information about the nature, content and
  termination of your employment contract;
• data for the purpose of administering your presence at the place where the
  work is being carried out;
• data for the purpose of administering your absence in connection with leave,
  reduction in working hours, childbirth or illness, with the exception of data on the nature of the illness;
• data that is recorded in your interest with a view to your working conditions;
• data for the purpose of (organizing) the personnel assessment and the
  career guidance, to the extent that such data is known to you;
• data necessary for the implementation or application of a law.

The processing of the above data is only done for one or more of the following purposes:

• leading you;
• determining and paying your salary;
• providing guidance during absence;
• the handling of personnel matters;
• arranging claims for benefits in connection with the termination of your employment contract;
• determining your education;
• determining the occupational medical care that applies to you;
• for the benefit of corporate social work;
• the election of the members of a works council or staff representation;
• internal control and corporate security;
• the implementation of an employment condition that applies to you;
• compiling a list of dates of employee birthdays and other festivities and
  events;
• the granting of discharge;
• the administration of the staff association;
• the collection of claims. This also includes the outsourcing of a claim
  for example to a collection agency or a bailiff;
• handling disputes and having an audit carried out;
• sending gifts or invitations to company parties, etc.;
• sending internal communications;
• the implementation or application of another law.

Legal grounds for processing your personal data

The legal basis for the aforementioned processing purposes is:

• the consent you have given (Article 6 paragraph 1 sub a GDPR);
• taking pre-contractual measures at your request and/or executing the agreement concluded with you, e.g. the healthcare or employment contract (Article 6 paragraph 1 sub b GDPR);
• compliance with legal obligations (Article 6 paragraph 1 sub c GDPR);
• protecting the vital interests of yourself or others (Article 6 paragraph 1 sub d GDPR);
• the performance of a task carried out in the public interest or in the exercise of official authority (Article 6 paragraph 1 sub e GDPR); and/or,
• the promotion of the legitimate interests of TWB or of a third party (Article 6 paragraph 1 sub f GDPR).

Explanation of legitimate interests

In some cases, there is no legal obligation, an agreement or given permission for processing your personal data. In that case, TWB can rely on its legitimate interest. TWB recognizes the following goals for legitimate interests:

• direct marketing purposes, such as informing you about TWB activities;
• assess whether you are a suitable candidate for the position (for applicants);
• security of TWB's buildings and properties;
• security and availability of the network infrastructure to third parties. For example, making wifi available to guests;
• fraud prevention. Control of logging information systems;
• quality and training purposes;
• internal audits to improve the quality of care;
• scientific (or historical) research.

You can object to this processing on the basis of the right to object. More information about this right can be found later in this statement.

Transfer of your personal data

In principle, we only use your personal data for ourselves (our own business operations) in the context of healthcare provision and the (execution of) the employment or healthcare agreement. We only use this data for the purposes for which this data was obtained by us. In some cases, it may be necessary to pass on your data to others, such as to a party that processes data on our behalf or that contributes to providing good care to you. A few examples:

Client

• Client file: suppliers of our software in which, among other things, the client file is maintained and the planning is kept.
• Municipality: in case of legally required inspection by the municipality. The municipality checks whether TWB is not committing fraud.
• Chain partners: parties that contribute to the delivery of good care together with us. Think of your GP, pharmacist or hospital.
• Health insurance: when declaring care provided to you. But also during legally required material control by the health insurer. The health insurer checks whether TWB is not committing fraud.
• Survey agency: for setting out the customer satisfaction survey. The surveys are conducted anonymously, whereby the survey agency only receives contact details.

Employee:

• personnel file: suppliers of our software in which, among other things, the personnel file is maintained and courses are given;
• illness and reintegration: data is provided to the company doctor and/or UWV and/or reintegration agencies;
• a wage garnishment: information is provided to the bailiff;
• pension: data is provided to the pension fund;
• accountant: data is provided to our accountant. The accountant checks whether TWB is not committing fraud;
• the tax authorities: for the payment of payroll tax;
• Ministry of Justice: for the mandatory Certificate of Good Conduct.

With parties that process personal data on our behalf (the so-called 'processors'), we conclude (to the extent necessary) processing agreements. We do this so that when we provide data to them, it is properly recorded that they also secure this data properly and that they must report to us in a timely manner in the event of a (suspected) data leak.

Automated decision-making and profiling

TWB does not use automated decision-making and/or profiling.

Storing your personal data

We do not store your data for longer than is necessary for the purpose for which we have processed it. We observe the statutory retention periods, if any. Data may be stored by us for longer if we have a legitimate interest in doing so (for example, if legal proceedings are ongoing or have been announced and we must be able to defend ourselves).

Securing your personal data

The security of your personal data is regulated by us through physical, administrative, organizational and technical measures. We therefore have an appropriate level of protection. This is laid down in our information security policy. We also adjust this periodically when necessary.

Persons who have access to your data on behalf of TWB are bound to confidentiality. TWB requires the same technical and organizational measures from its processors/partners and has laid this down in processor agreements.

Your rights

If your personal data is processed, you also have privacy rights. We respect these of course. We list the rights for you:

Right of inspection

You have the right to view the personal data processed by TWB. Clients can view their care file via Caren Zorgt. Employees can view their file via AFAS.

Correction right

You have the right to have data that is factually incorrect changed. Please note: you cannot have a performance report or expert opinion corrected if you disagree with it.

Right of removal

You have the right to have your data deleted in certain cases. Please note: we do not have to comply with this if we still have a legitimate interest in retaining your data (for a longer period of time), if this is necessary in connection with the execution of your healthcare or employment contract or to comply with a legal obligation.

Right to object

The right to object means that you can object to certain processing of your personal data due to your specific situation. You have this right for all processing based on the legitimate interest (as explained above) of TWB.

If you object to the use of your personal data to inform you about TWB activities and similar processing, we will always honor this objection. Your data will then no longer be used for our direct marketing purposes.

Right to restriction

Under certain circumstances, you have the right to restrict the processing of your data. This means that TWB will temporarily not process your data. You can invoke this right in four situations:

1. pending the assessment of a correction request;
2. if data should actually be deleted but you do not want it to be deleted;
3. if TWB no longer needs the data while you do need the data to prepare for legal proceedings;
4. pending the assessment of an objection.

Law op Gegevensoverdraagbaarheid

You have the right to receive (back) the data you provided to TWB. This right only applies to the personal data that we process from you based on your consent or an agreement concluded with you, such as the employment contract or care agreement. Furthermore, the right only applies to the data that we already process in digital form (so not for 'paper' processing). You are free to then pass on that data to another party. If there is a link between our systems and the systems of the party to which you want to have the data passed on, we may be able to take care of that transfer directly on your behalf. Please inquire about the possibilities.

Withdrawal of consent

You have the right to withdraw your consent at any time. We will then immediately cease processing. Withdrawal of consent does not have retroactive effect; all processing that has already taken place therefore remains lawful.

Exercise of rights

Exercising your rights is in principle free of charge for you, except in the event of abuse. You exercise your rights by contacting us using the contact details below.

Terms

We will answer your question or request as soon as possible and in any case within four weeks. If it takes us more time, we will inform you within four weeks. It is possible that due to the complexity of the request/question and/or the number of requests/questions, the response period may increase to a maximum of three months in total.

Identification

If you ask us a question or make a request, we may ask for proof of your identity. We do this to prevent us from sending your personal data to the wrong person or organization or making incorrect changes to your personal data.

Individual assessment of each request

There may be circumstances that prevent us from complying with a specific request. We will always assess each request on a case-by-case basis. If we are unable to comply with a specific request, we will of course inform you of this with reasons. In that case, you may then take legal action. The right to object to the use of your data for direct marketing purposes (such as informing you about TWB's activities) is absolute. Unsubscribes from our commercial communications will therefore be honored in any case.

Data Protection Officer

TWB has appointed a Data Protection Officer (DPO). The DPO monitors compliance with privacy legislation and advises TWB on privacy legislation. The DPO is independent and enjoys statutory dismissal protection. The DPO reports directly to the TWB Board of Directors. The DPO is also the contact person for all questions regarding privacy, both for you as the data subject and for the supervisory authority. You will find the contact details of the DPO at the bottom of this privacy statement.

Questions and contact details of the Data Protection Officer

If you have any questions about this privacy statement or our privacy policy, or if you wish to exercise one of your legal rights, you can contact our Data Protection Officer via [email protected].

Complaint

If you have a complaint about the way in which TWB handles your personal data, you can contact the Data Protection Officer via [email protected]. If we cannot reach an agreement, you are free to file a complaint with the supervisory authority. The supervisory authority for privacy legislation is the Dutch Data Protection Authority. You can find the contact details of the Dutch Data Protection Authority via the website authoritypersoonsgegevens.nl.

Date and adjustment of the privacy statement

TWB reserves the right to amend this privacy statement. Amendments will be announced on the TWB website. If there is an important amendment, we will inform you. This privacy statement is from July 2023.

Terminology and abbreviations

Personal data is any information about an identified or identifiable natural person. For you, this means that this information is directly about you or that this information can be traced back to you. This can be, for example, your name, date of birth and address, but also your client number or employee number.

Processing personal data concerns all actions that we can perform with your personal data, from collection to destruction. This is therefore a very broad concept. Actions that fall under it in any case are: collecting, recording, organizing, storing, updating, changing, retrieving, consulting, using, forwarding, distributing, making available, combining, linking, shielding, erasing and destroying data.