- For what purposes are your personal data processed?
- How long are your personal data kept?
- What are your rights?
- How can you exercise your rights?
- How are your personal data protected?
- How do we handle your personal data when using WhatsApp?
- How can you get in touch with the health insurer?
1. For what purposes are your personal data processed?
CZ needs to record and process personal data in order to implement the provisions of the Healthcare Insurance Act and administer the policies and claims of people who are insured with CZ. Specifically, to be able to identify people, CZ keeps a record of the Dutch personal identification number (BSN) of every person with CZ insurance; this is required by law.
CZ also uses your personal data for various other purposes, but only to the extent necessary for the specific purpose.
CZ uses personal data for:
I. assessment and acceptance;
II. concluding the contract and administering the policy;
III. commercial and direct marketing purposes.
Below, we explain in full what each of these 3 purposes entails.
I. Assessment and acceptance
CZ uses your personal data to check whether you are required by law to take out the general insurance. Under the Healthcare Insurance Act, a health insurer must, in principle, accept any person for the general insurance if that person is required by law to have this insurance.
For our most comprehensive additional dental insurance and for the insurance policy for persons residing abroad who are not obliged to have Dutch health insurance, CZ requests personal data concerning a person's health in the framework of the acceptance policy, to assess whether the person qualifies for the insurance he or she is applying for. Such personal data concerning health are assessed under the responsibility of, respectively, the dental advisor or the medical advisor. As a result of the assessment, the person applying for insurance may be offered a policy other than the one requested.
Automated processing of the insurance application
When you apply for the general insurance or additional medical expenses insurance, your personal data are processed in an automated system. This system uses the information you entered on your application form, whether this was in print or in electronic form.
When you apply for a more comprehensive dental insurance package or the insurance policy for persons residing abroad who are not obliged to have Dutch health insurance, the processing may also involve personal data concerning your health. This will result in either your application being approved and you being able to take out the insurance, or in your application being rejected. You can always contact CZ to ask a question or submit a complaint about the automated processing of your application.
II. Concluding the contract and administering the policy
CZ needs to have your personal data to conclude the contract with you for the general insurance and additional medical expenses insurance and to administer the policy and claims. Data concerning health are also needed to administer your policy and claims.
By ‘administer your policy and claims’ we mean: determining whether you are entitled to healthcare and/or the reimbursement of this care; paying the healthcare provider; settling your claims; collecting premiums; determining how much you need to pay for the personal contribution and the compulsory and voluntary deductible; performing checks; combatting fraud (including through an internal registration system); claiming damages from third parties; conducting surveys among insured persons on the quality of the care provided; improving services (including technical support); providing groups of individuals with information that is relevant to them; limiting any payment arrears the policyholder may have with the health insurer; ensuring that the policyholder no longer owes an administrative premium; handling complaints and disputes; and analysing data (including personal data) for risk management purposes (including keeping healthcare expenses in check) and for the purpose of purchasing healthcare.
Exchanging data with third parties
Your personal data are sometimes shared with or received from third parties. We will never sell your personal data to anyone. Examples of third parties with whom we share personal data are:
- Dutch Central Administration Office (CAK): CZ and the CAK exchange your personal identification number (BSN) if you fall under the ‘regeling wanbetalers’ (defaulters’ arrangement) or the ‘regeling onverzekerden’ (uninsured persons’ arrangement). This is required by law;
- Municipal Executive: CZ exchanges personal data with the Municipal Executive in the municipality in which you live to prevent and reduce debts. This is required by law;
- Employers and member organisations: if you receive a discount on your premium because you are part of a group, CZ uses your personal data to periodically check with your employer or member organisation whether you are still entitled to this discount;
- Intermediary: If you take out insurance through an intermediary, exchange of personal data with the intermediary can also take place to the extent this is necessary for the intermediary to perform its duties, and to pay the commission. This only concerns policy details, never personal data concerning health;
- Care administration offices (zorgkantoren): to prevent healthcare being paid for both through the Chronic Care Act and the general insurance, and to coordinate the healthcare insured on the basis of the health insurance and the Chronic Care Act;
- Other insurers (including health insurers): in some situations, CZ can recover incurred healthcare costs from a third party, e.g. when someone else is liable, or on the basis of a travel insurance policy. Your data will then be shared with the third party in question (and his/her insurer).
- ‘Sociale Verzekeringsbank’ (SVB): the SVB (the body that implements the Dutch national insurance schemes) receives personal data from care administration offices for the insured persons administration referred to in Article 35 of the Work and Income (Implementation Structure) Act, for payments charged to the personal care budget and for the related budget management;
- Supervisory bodies: CZ exchanges personal data with supervisory bodies (like the Dutch Healthcare Authority or the Dutch Data Protection Authority) if this is needed by the supervisory body to carry out its official duties. This is required by law;
- CZ regularly receives requests from institutions like university hospitals or research facilities to use personal data (concerning health) for scientific research or for statistical purposes. This personal data is only provided if and to the extent that anonymous data will not suffice, the research is in the public interest, and requesting permission is not possible;
- Incident register: CZ maintains an incident register in which personal data are recorded. This register contains incidents that have, or could have the effect that the interests, integrity or safety of insured persons, CZ, CZ staff and/or the financial sector as a whole are or could be put at stake. This can be an incident like submitting false claims, identity fraud, skimming, embezzlement at work, phishing, or deliberate deception;
- External Reference Index (EVR): this contains personal data of persons for whom it has been sufficiently established that their conduct poses or could pose a threat to the financial interests of CZ, CZ staff and/or persons insured by CZ. The data in the EVR can be viewed by participants to the financial institution incident alert system protocol.
- The BRP register: health insurers receive personal details from the ‘Basis Registratie Personen’ or ‘BRP’, the register maintained by the Dutch government that records key personal data of persons living in the Netherlands;
- Healthcare providers who have a contract with CZ: these providers claim the costs for the healthcare provided directly with CZ.
Please notify us if there are compelling reasons why healthcare providers should not have access to your address details; we will then hide these details accordingly. This also applies with regard to any person you are being protected from: here, too, you can have your details hidden, even if the person concerned is the policyholder.
Whenever CZ uses the services of third parties for its activities, we endeavour to ensure that data is processed only within the European Union or countries/organisations that the European Commission considers to guarantee an adequate level of security. However, this is not always possible. Your personal data – including data concerning your health – may be processed in a country other than those referred to above. If so, we will contractually ensure that these processors provide sufficient guarantees.
Personal data concerning health
CZ takes particular care when it comes to personal data concerning health. CZ uses personal data concerning health to determine whether you are entitled to healthcare or reimbursement for healthcare. To the extent necessary, personal data concerning health are also used for verification purposes, conducting fraud investigations, claiming damages from third parties, and for analyses for healthcare procurement and risk management purposes.
CZ’s medical adviser will always belong to a profession listed in the ‘BIG register’ (the Dutch register of Individual Healthcare Professions), which includes doctor, dentist, physiotherapist, obstetrician, nurse, health care psychologist, psychotherapist and pharmacist.
The medical adviser has a statutory duty of confidentiality. The use of personal data concerning health falls under the responsibility of the medical adviser(s), and the relevant medical adviser is responsible for every employee who uses personal data concerning health, except where this use concerns activities of a purely administrative nature, such as processing claims from healthcare providers or forwarding and digitising post. The group of employees under the responsibility of the medical adviser is called the ‘functional unit’. Employees in the functional unit have the same duty of confidentiality as the medical adviser.
Automatic processing of pre-authorisation requests and claims
Your pre-authorisation request (‘machtigingsaanvraag’) is handled with due care, in a process that uses criteria drawn from the terms and conditions of insurance to assess your request; these criteria may be applied in an automated system. You will always be informed whether the request has been accepted or rejected; this notification will also explain how you can submit a complaint should you wish to do so.
Claims are generally handled using an automated system, in a process that uses criteria drawn from the terms and conditions of insurance to assess your claim. You are entitled at all times to ask a question or submit a complaint about the automated processing of your claim.
CZ may decide to outsource certain activities, though CZ remains responsible at all times for the processing of your personal data. CZ outsources activities to service providers like VECOZO and Vektis, among others.
III. Commercial and direct marketing purposes
CZ uses your personal data to keep you informed on other products and services we provide that may be of interest to you. We never use data concerning your health (such as details from your claims) for commercial purposes. CZ sometimes selects groups of individuals from its customer base, to recommend a product to a certain target group for example. In making selections for commercial purposes, CZ does not use personal data concerning health or financial data as selection criteria.
CZ will use your personal data to make analyses for the purpose of marketing activities. CZ will not use any personal data concerning your health in these analyses.
If you receive emails from CZ to inform you about our offerings, CZ can use email tracking to save click behaviour in emails, for example to see when an email has been opened or when you have clicked on certain articles in the newsletter. This information can be used to improve our email campaigns so that the content is better suited to your preferences. The tracking mechanisms we use do not store any information on your computer the way cookies do.
2. How long are your personal data kept?
CZ stores your personal data only for as long as it needs to for the purpose for which CZ originally received the personal data. In most cases this means 7 years (starting from 1 January of the year following the year to which the data relate), but there are a few exceptions. The exceptions are:
- Insurance is not taken out
You may have applied for insurance with CZ but ultimately did not take this out, perhaps because you changed your mind, or maybe because CZ declined your application. In such a situation, CZ saves your information for one year so that we can refer to this information should you decide to apply again the following year. This also allows CZ the option of drawing your attention to other products that may be of interest to you, assuming you have not specified that you do not want us to do this.
- After cancellation of your insurance
If you had insurance with CZ and this has been cancelled, we save your personal data for a maximum of 7 years after your policy has ended, or from the time of receiving the last claims under the policy. One of the reasons we do this is to comply with our obligations under the Healthcare Insurance Act. We may use your personal data for direct marketing purposes for a maximum of 2 years, unless you have specified that you do not want us to do this.
- Personal data concerning health in an investigation
If we carried out an investigation in which we used personal data concerning your health, we store these data for as long as necessary to complete the investigation and secure our rights, such as to recover funds wrongly paid where a claim has been submitted for healthcare that was not provided.
If we use your personal data in the course of a fraud investigation, we retain these data for 8 years after the investigation has been closed.
- Recording phone calls for training purposes
We may record phone conversations we have with you for the purpose of training our staff so that we can improve our service. Such recordings are kept for as long as necessary, with a maximum of 6 months.
- Poor payment practices
If your insurance is cancelled because of non-payment or late payment, your personal data will be stored for a maximum of 5 years.
3. What are your rights?
In terms of your personal data, you have the right of access, rectification, erasure, restriction, data portability, objection, and withdrawal of your consent. You can read about what each of these rights entails below.
You have the right to request access to the personal data CZ holds about you and to the information regarding the purposes for which it uses your personal data.
Through your personal ‘Mijn CZ’ page, we provide you with secure access to much of the personal data we process about you (name and address details, insurance details, information on the deductible and premiums you have paid to date, and the costs of the healthcare provided).
You may wish to see other specific information however, in which case you can submit a request. In your request, please specify the personal data you would like to see.
If you have provided CZ with personal data or these have been provided on your behalf, and if CZ processes these personal data by an automatic means, you have the right to receive the personal data concerning you in a structured, commonly used and machine-readable format.
CZ can also send these personal data to another health insurer directly if the personal data in question are needed for you to be able to switch to the other health insurer, or if they are needed for authorisations provided by CZ for reimbursing healthcare costs.
If you would like CZ to send the personal data to the other health insurer directly, please state this in your request.
If you believe that personal data held by CZ are incorrect or inaccurate, you can ask for them to be corrected. You also have the right to have incomplete personal data completed, including by means of providing a supplementary statement. Correcting incorrect, incomplete or inaccurate personal data is called rectification.
In your request, please specify what personal data need to be corrected and why.
You have the right to ask CZ to obtain the erasure of personal data we hold on you if one of the following situations applies:
- CZ no longer needs your personal data;
- your personal data are used with your consent, but you are now withdrawing that consent;
- CZ is not entitled to use your personal data;
- CZ was already required by law to delete your personal data;
- CZ is using your personal data for social media.
In your request, please specify the personal data you would like CZ to erase and why you feel that CZ should do this. If your request concerns data relating to your insurance, in many cases CZ will not be permitted to erase these personal data. This could be, for example, because CZ still needs the personal data as part of its obligation to retain data for a particular period of time (see section 2).
You have the right to obtain restriction of processing your personal data:
- during the time CZ needs to determine whether your personal data do indeed need to be corrected;
- if CZ was not entitled to use your personal data but you do not want to erase your data either;
- while you are awaiting a response to your objection with CZ to the use of your personal data.
Restriction of the use of your personal data means that CZ needs your permission to use the data if and when required. There are several exceptions to the above. Your personal data can still be used:
- to administer your health insurance and additional medical expenses insurance policy and claims, so that you can remain insured and your health insurer can pay your claims;
- to establish, exercise, or defend a legal claim;
- to protect the rights of another natural or legal person; or
- for reasons of overriding public interest in the European Union or a Member State, when public health is at risk for example.
In your request, please specify why CZ may not use your personal data. You can also include the request to restrict the use of your personal data with a request to rectify your personal data or with an objection, in which case the processing of your personal data will be restricted until your data have been corrected or the objection process has been completed.
You have the right to object to the use of your personal data for direct marketing purposes. If your personal data is being used for a purpose other than direct marketing or administration of your insurance policy and claims, you may object to this use on grounds relating to your particular situation. In your objection, please specify which personal data this concerns and the reason for your objection.
If CZ processes your personal data strictly with your consent, you may withdraw this consent at any time. Consent cannot be withdrawn with retroactive effect however, meaning that the withdrawal of consent will not affect any processing operations already completed.
In your request, please specify which consent you would like to withdraw.
4. How can you exercise your rights?
If you would like to make active use of one of the rights described above, you can send your request, by letter or email for example, to CZ’s Data Protection Officer. In principle, we will respond to your request or objection within one month. If your request or objection is complex, however, this period can be extended by an additional two months, in which case CZ will inform you of this extension within one month of receiving your request.
If you are not satisfied with the way in which your request or objection has been handled, you may lodge a complaint with the Dutch Data Protection Authority (or with a supervisory authority in any other EU Member State). You also have the right to apply to the court.
5. How are your personal data protected?
To protect personal data, CZ has implemented and maintains security measures throughout the organisation. These measures, which involve the organisation, staff, processes, technology, and physical security, are set out in CZ’s security policy.
Developments in the world of information security are moving fast. The measures used by CZ have been derived from internationally applicable standards like ISO/IEC 27002. Using risk analyses, internal control plans and independent audits, CZ checks periodically to ensure that these measures are still fit for purpose. CZ is also under the direct supervision of various supervisory bodies and the external auditor. These parties verify, among other things, that our information security management system functions properly. If CZ makes use of third parties for the processing of personal data, CZ ensures that the third party has implemented appropriate data security that is adequate for the type of personal data being processed.
6. How do we handle your personal data when using WhatsApp?
If you have questions about your health insurance, you can also message us on WhatsApp. We will not share any sensitive personal information with you by WhatsApp, such as medical data, or any other personal data. This is because WhatsApp is less reliable and secure than, for example, email or chat. For this reason, we will never ask you for confidential information on WhatsApp. We also kindly request that you do not share any sensitive personal data using WhatsApp.
Under WhatsApp terms and conditions for business users, we have 24 hours to respond to any messages you send us on WhatsApp. This 24-hour term starts every time you send us a message. After expiry of the 24-hour term, we can only send a standard message in response to your message. In such a standard message, we will ask you for consent to continue the chat. We can only continue the chat if you respond ‘YES’. If you do not respond, we will send you one reminder and one message advising you that we are closing the chat.
7. How can you get in touch with CZ?
Please address your letter to:
CZ Customer Services
Postbus 90152, 5000 LD Tilburg, Netherlands
Changes and date